URL
NA
Component(s)
No response
Feedback
Alloy already has security-related documentation, but there is no single place which has an overview of it. It'd be good to have a "security hardening" doc with general information and with links that go in depth on certain topics.
For example, the list below is a request from a customer who needs such information. A good starting point for such a doc would be to be able to answer all the questions below.
1. Service Account Requirements (Windows, Linux, and Kubernetes)
1.1 Windows / Linux Hosts
Minimum Service Account Permissions
- What minimum OS-level permissions are required for the Grafana Alloy service account on Windows and Linux hosts?
- Does Grafana Alloy require privileged mode, direct access to the Docker socket, or root‑level permissions to collect logs and metrics?
Filesystem Access Requirements
Specify which directories must be accessible (read or write) to the Alloy service account.
1.2 Kubernetes (K8s)
Required RBAC Permissions
What Kubernetes RBAC roles, permissions, or bindings are needed for Alloy?
2. Permissions Required by the Grafana Alloy Agent
2.1 Host-Level Permissions
Confirm whether Alloy needs:
- Read‑only access to /var/log
- Access to the Docker socket (/var/run/docker.sock) for container logs and metrics
2.2 Network Permissions
Define which outbound connections Alloy requires.
3. mTLS and Secure Certificate / Key Management
3.1 mTLS Configuration
How are mTLS certificates, private keys, and CA bundles referenced in Alloy configuration syntax?
What security best practices exist for storing client certificates?
4. Logging Capabilities in Grafana Alloy
4.1 Types of Logs Produced
Confirm which categories of logs Alloy generates, such as:
- Operational logs (info, warning, error)
- Debug logs for troubleshooting
- Mechanisms for redacting or masking sensitive information
4.2 Security Logging
Determine whether Alloy logs:
- Authentication or authorization failures
- TLS/mTLS handshake issues
- RBAC permission denials
- Irregular or unexpected pipeline behavior
4.3 Auditability
Guidance on enabling detailed or verbose audit logging
Tip
React with 👍 if this issue is important to you.
URL
NA
Component(s)
No response
Feedback
Alloy already has security-related documentation, but there is no single place which has an overview of it. It'd be good to have a "security hardening" doc with general information and with links that go in depth on certain topics.
For example, the list below is a request from a customer who needs such information. A good starting point for such a doc would be to be able to answer all the questions below.
1. Service Account Requirements (Windows, Linux, and Kubernetes)
1.1 Windows / Linux Hosts
Minimum Service Account Permissions
Filesystem Access Requirements
Specify which directories must be accessible (read or write) to the Alloy service account.
1.2 Kubernetes (K8s)
Required RBAC Permissions
What Kubernetes RBAC roles, permissions, or bindings are needed for Alloy?
2. Permissions Required by the Grafana Alloy Agent
2.1 Host-Level Permissions
Confirm whether Alloy needs:
2.2 Network Permissions
Define which outbound connections Alloy requires.
3. mTLS and Secure Certificate / Key Management
3.1 mTLS Configuration
How are mTLS certificates, private keys, and CA bundles referenced in Alloy configuration syntax?
What security best practices exist for storing client certificates?
4. Logging Capabilities in Grafana Alloy
4.1 Types of Logs Produced
Confirm which categories of logs Alloy generates, such as:
4.2 Security Logging
Determine whether Alloy logs:
4.3 Auditability
Guidance on enabling detailed or verbose audit logging
Tip
React with 👍 if this issue is important to you.