How to configure fluentd daemonset for RBAC

When you are defining your daemonset you can also define your RBAC.

apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:  name: fluentd-service-accountroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: fluentd-service-accountsubjects:- kind: ServiceAccount  name: fluentd-service-account  namespace: kube-system---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: fluentd-service-account  namespace: kube-systemrules:  - apiGroups: ["*"]    resources:      - pods      - namespaces    verbs:      - get      - watch      - list---apiVersion: v1kind: ServiceAccountmetadata:  name: fluentd-service-account  namespace: kube-system

Source.

Get "403 Forbidden" message when running the pod

The links shows the solution.

apiVersion: v1kind: ServiceAccountmetadata:  name: fluentd  namespace: system---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:  name: fluentd  namespace: systemrules:- apiGroups:  - ""  resources:  - pods  verbs:  - get  - list  - watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: fluentdroleRef:  kind: ClusterRole  name: fluentd  apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount  name: fluentd  namespace: system---apiVersion: v1kind: ConfigMapmetadata:  name: fluentd  namespace: systemdata:  fluent.conf: |    @include kubernetes.conf    <match **>       type elasticsearch       log_level info       include_tag_key true       host elastic.system.svc.cluster.local       port 9200       user elastic       password <...>       logstash_format true       buffer_chunk_limit 2M       buffer_queue_limit 32       flush_interval 5s       max_retry_wait 30       disable_retry_limit       num_threads 8    </match>---apiVersion: extensions/v1beta1kind: DaemonSetmetadata:  name: fluentd  namespace: system  labels:    k8s-app: fluentd-logging    version: v1    kubernetes.io/cluster-service: "true"spec:  template:    metadata:      labels:        k8s-app: fluentd-logging        version: v1        kubernetes.io/cluster-service: "true"    spec:      serviceAccount: fluentd      serviceAccountName: fluentd      containers:        - name: fluentd          image: fluent/fluentd-kubernetes-daemonset:elasticsearch          volumeMounts:            - name: varlog              mountPath: /var/log            - name: varlibdockercontainers              mountPath: /var/lib/docker/containers            - name: config              mountPath: /fluentd/etc/fluent.conf              subPath: fluent.conf      volumes:        - name: varlog          hostPath:            path: /var/log        - name: varlibdockercontainers          hostPath:            path: /var/lib/docker/containers        - name: config          configMap:            name: fluentd