重新整理一下我們升級的判斷順序

1. 確認影響範圍 - PSP deprection
2. 確認使用服務 - aws-cloudwatch-logs-aws-for-fluent-bit
3. 確認服務功能
4. 確認設定是否為預設，或需要調整成 PSA
5. 若為預設，查看升級版本

什麼是 aws-cloudwatch-logs-aws-for-fluent-bit

Fluent Bit 的 plugin，用於將日誌數據發送到 AWS 的 Amazon CloudWatch Logs 服務。Fluent Bit 是 logs 處理和轉發的服務，可以將日誌從多個來源收集、處理並發送到許多目的地

IaC上的設定

• image.tag: Fluent Bit Docker image 的版本，此處為 "2.13.0"。
• cloudWatch.logGroupName: CloudWatch Logs 中的 Log Group 名稱，此處基於 var.project 和 terraform.workspace 變量動態生成路徑。
• cloudWatch.logRetentionDays: CloudWatch Logs 中日誌保留多少天，此處使用 var.cloudwatch_log_retention_days 作為值。
• firehose.enabled: 是否啟用 AWS Firehose 輸出插件，此處為 "false"。
• kinesis.enabled: 是否啟用 AWS Kinesis Data Streams 輸出插件，此處為 "false"。
• elasticsearch.enabled: 是否啟用 Elasticsearch 輸出插件，此處為 "false"。

可以發現並沒有跟 PSP 相關的調整

resource "helm_release" "aws_cloudwatch_logs_for_fluent_bit" {
  count      = var.enabled_resources.aws_cloudwatch_logs_for_fluent_bit ? 1 : 0
  name       = "aws-cloudwatch-logs"
  repository = "https://aws.github.io/eks-charts"
  chart      = "aws-for-fluent-bit"
  version    = "0.1.7"
  namespace  = "kube-system"
  set {
    name  = "image.tag"
    value = "2.13.0"
  }
  set {
    name  = "cloudWatch.region"
    value = var.region
  }
  set {
    name  = "cloudWatch.logGroupName"
    value = "/aws/containerinsights/${var.project}-${terraform.workspace}/application"
  }
  set {
    name  = "cloudWatch.logRetentionDays"
    value = var.cloudwatch_log_retention_days
  }
  set {
    name  = "firehose.enabled"
    value = "false"
  }
  set {
    name  = "kinesis.enabled"
    value = "false"
  }
  set {
    name  = "elasticsearch.enabled"
    value = "false"
  }
}

再來看現有設定

k describe psp aws-cloudwatch-logs-aws-for-fluent-bit
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Name:         aws-cloudwatch-logs-aws-for-fluent-bit
Namespace:
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: aws-cloudwatch-logs
              meta.helm.sh/release-namespace: kube-system
API Version:  policy/v1beta1
Kind:         PodSecurityPolicy
Metadata:
  Creation Timestamp:  2021-05-18T06:36:30Z
  Resource Version:    31987514
  UID:                 9fb7968c-92b0-4fbd-8b80-61875bb02b7c
Spec:
  Allow Privilege Escalation:  false
  Allowed Host Paths:
    Path Prefix:  /var/log
    Path Prefix:  /var/lib/docker/containers
    Read Only:    true
  Fs Group:
    Ranges:
      Max:  65535
      Min:  1
    Rule:   MustRunAs
  Required Drop Capabilities:
    ALL
  Run As User:
    Rule:  RunAsAny
  Se Linux:
    Rule:  RunAsAny
  Supplemental Groups:
    Ranges:
      Max:  65535
      Min:  1
    Rule:   MustRunAs
  Volumes:
    configMap
    secret
    hostPath
    projected
Events:  <none>

1. 官方文件也沒有特別對 PSP 做設定調整
   

2. 官方文件也沒有對 K8S version 有任何要求或介紹，所以我們會將他直接更新到最新版本