Adds a Grafana Alloy DaemonSet that tails honeydue-namespace pod logs
from /var/log/pods and pushes them to Loki at obs.88oakapps.com,
reusing the existing OBS_INGEST_TOKEN (14-day retention).
- deploy-k3s/manifests/observability/alloy-logs.yaml — DaemonSet + RBAC
+ token Secret + Alloy config. Runs as root (/var/log/pods is 0750
root:root) but otherwise locked down: all caps dropped, read-only
root filesystem, seccomp RuntimeDefault, read-only hostPath mount.
- network-policies.yaml — allow-egress-from-alloy-logs (DNS + k8s API
+ obs HTTPS), mirroring the vmagent egress policy.
- 03-deploy.sh — applies alloy-logs with the OBS_INGEST_TOKEN
substitution and waits for the DaemonSet rollout.
The Loki container, nginx /loki/api/v1/push route, and Grafana Loki
datasource live on the obs server and are not repo-managed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Trey t