Skip to main content

Overview

Some Rancher-managed clusters, including Talos-based clusters and clusters with Kyverno or PodSecurity admission policies, enforce the Kubernetes PodSecurity baseline policy. That can affect promtail pods that mount node hostPath volumes.

Promtail and PodSecurity baseline

The Arize AX chart deploys a promtail DaemonSet that mounts node hostPath volumes (/var/log/pods, /var/lib/docker/containers, and similar) to ship pod logs to Loki. The PodSecurity baseline policy rejects hostPath volumes, so on Talos, kyverno-enforced clusters, and other restricted-PSA environments no promtail pod can schedule. Look for promtail in kubectl get events -n arize: 
pods "promtail-xxxxx" is forbidden: violates PodSecurity "baseline:latest":
  hostPath volumes (volumes "run", "containers", "pods")
Promtail is not in the install-blocking path. The rest of Arize AX installs and runs without it, but in-cluster log shipping to Loki will be missing until you address the policy. The simplest fix is to relax PSA enforcement for the arize namespace: 
kubectl label ns arize pod-security.kubernetes.io/enforce=privileged --overwrite
kubectl rollout restart daemonset/promtail -n arize
This relaxes PodSecurity for the arize namespace as a whole, not just promtail. If your platform team requires a tighter scope, use a kyverno PolicyException (or your policy engine’s equivalent) targeting only the promtail DaemonSet’s hostPath volumes instead.

Next steps