Configuring Fluent Bit for Yandex Cloud Logging
Note
You can enable sending logs from the Managed Service for Kubernetes master host to Cloud Logging by specifying the master logging
setting when creating or updating your cluster. The setting is only available in the API, CLI, and Terraform. To learn more, see Sending Managed Service for Kubernetes cluster logs to Cloud Logging.
The Fluent Bit
Transferring Yandex Managed Service for Kubernetes cluster logs to Yandex Cloud Logging
You can send Managed Service for Kubernetes cluster logs to Cloud Logging:
- To enable sending Managed Service for Kubernetes master logs, use the
master logging
setting when creating or updating a cluster. The setting is only available in the API, CLI, and Terraform. - To send pod and service logs, use the Fluent Bit application with the Cloud Logging plugin in the Managed Service for Kubernetes cluster.
Sending master logs to Managed Service for Kubernetes in Cloud Logging using master logging
To set up the transfer of Managed Service for Kubernetes master logs to Cloud Logging:
If you no longer need the resources you created, delete them.
Getting started
Prepare the infrastructure:
-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
-
Service account for Managed Service for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.
-
Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.
Tip
You can use the same service account for both operations.
-
-
Assign the logging.writer role to the service account for resources. This role is required by the Managed Service for Kubernetes cluster to send logs to Cloud Logging.
-
Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for the resources and nodes.
-
Configure security groups for the Managed Service for Kubernetes cluster.
-
If you do not have Terraform yet, install it.
-
Download the file with provider settings
. Place it in a separate working directory and specify the parameter values. -
Download the k8s-cluster-with-master-logging.tf
configuration file of the Managed Service for Kubernetes cluster to the same working directory.This file describes:
- Network.
- Subnet.
- Security groups and rules required for a Managed Service for Kubernetes cluster and node group:
- Rules for service traffic.
- Rules for accessing the Kubernetes API and managing a Managed Service for Kubernetes cluster using
kubectl
through ports 443 and 6443. - Rules for accessing services from the internet.
- Service account for resources and Managed Service for Kubernetes nodes and sending cluster logs to Cloud Logging.
- Managed Service for Kubernetes cluster.
- Managed Service for Kubernetes node group.
- Cloud Logging log group.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Name of the service account for resources and Managed Service for Kubernetes nodes and for sending cluster logs to Cloud Logging.
- Cloud Logging log group name.
-
Run the
terraform init
command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources. -
Check that the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
Enable the master logging setting
If you created the infrastructure manually, enable the master logging
setting:
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the
--folder-name
or--folder-id
parameter. -
Run this command:
yc managed-kubernetes cluster update <cluster_name> \ --master-logging enabled=true,` `log-group-id=<log_group_ID>,` `kube-apiserver-enabled=<send_kube-apiserver_logs:_true_or_false>,` `cluster-autoscaler-enabled=<send_cluster-autoscaler_logs:_true_or_false>,` `events-enabled=<send_Kubernetes_events:_true_or_false>` `audit-enabled=<send_audit_events:_true_or_false>
Where:
enabled
: Flag that enables sending logs.log-group-id
: ID of the previously created log group to send the logs to.kube-apiserver-enabled
: Flag that enables sending kube-apiserver logs.cluster-autoscaler-enabled
: Flag that enables sendingcluster-autoscaler
logs.events-enabled
: Flag that enables sending Kubernetes events.audit-enabled
: Flag that enables sending audit events.
Check the result
Check the transfer of Managed Service for Kubernetes master logs to the Cloud Logging log group.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:
- Delete the Managed Service for Kubernetes cluster.
- If you reserved a static public IP address for your Managed Service for Kubernetes cluster, release and delete it.
- Delete the created subnets and networks.
- Delete service accounts you created.
- Delete the log group.
-
In the terminal window, go to the directory containing the infrastructure plan.
Warning
Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
-
Delete resources:
-
Run this command:
terraform destroy
-
Confirm deleting the resources and wait for the operation to complete.
All the resources described in the Terraform manifests will be deleted.
-
Sending pod logs and service logs via Fluent Bit
To configure transfer of Yandex Managed Service for Kubernetes pod, service logs and node system logs to Yandex Cloud Logging:
If you no longer need the resources you created, delete them.
Getting started
Set up your infrastructure:
-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
Create service accounts for Managed Service for Kubernetes:
- Service account for Managed Service for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.
- Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.
Tip
You can use the same service account for both operations.
-
Create a service account for Cloud Logging with the logging.writer and monitoring.editor roles. It will be used to run Fluent Bit.
-
Create an authorized key for the Cloud Logging service account and save it to the
key.json
file. -
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for resources and nodes and the security group.
-
If you do not have Terraform yet, install it.
-
Download the file with provider settings
. Place it in a separate working directory and specify the parameter values. -
Download the k8s-cluster-with-log-group.tf
configuration file of the Managed Service for Kubernetes cluster to the same working directory.This file describes:
-
Cloud Logging log group.
-
Managed Service for Kubernetes cluster.
-
Managed Service for Kubernetes node group.
-
Service account for Managed Service for Kubernetes resources and nodes.
-
Service account for Cloud Logging.
-
Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Specify the following in the configuration file:
- Folder ID.
- Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
- Name of the service account for Managed Service for Kubernetes resources and nodes.
- Name of the service account for Cloud Logging.
- Cloud Logging log group name.
-
Run the
terraform init
command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources. -
Check that the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
Install and configure Fluent Bit
Select the Fluent Bit installation option depending on what logs you want to collect and send to Cloud Logging:
- Collect only Managed Service for Kubernetes pod and service logs.
- Collect Managed Service for Kubernetes pod, service, and node system logs.
Installing Fluent Bit to collect pod and service logs
Install Fluent Bit by following this guide. In the application settings, specify the ID of the log group you created earlier. You can request the log group ID with the list of log groups in the folder.
-
Install kubectl
and configure it to work with the created cluster. -
Create the objects required for Fluent Bit to run:
kubectl create namespace logging && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml
-
Create a secret containing the key of the service account for Cloud Logging you created earlier:
kubectl create secret generic secret-key-json \ --from-file=key.json \ --namespace logging
-
Download the
config.yaml
configuration file:wget https://raw.githubusercontent.com/knpsh/yc-logging-fluent-bit-example/main/config.yaml
-
Specify the ID of the log group created earlier and (optionally) the cluster ID in the
[OUTPUT]
section of theconfig.yaml
file:... output-elasticsearch.conf: | [OUTPUT] Name yc-logging Match * group_id <log_group_ID> resource_id <optional_cluster_ID> message_key log authorization iam-key-file:/etc/secret/key.json ...
You can get the log group ID with the list of log groups in the folder, and the cluster ID with the list of clusters in the folder.
Specify additional settings
for Fluent Bit, if required. -
Create Fluent Bit objects:
kubectl apply -f config.yaml
Result:
configmap/fluent-bit-config created daemonset.apps/fluent-bit created
-
Make sure the Fluent Bit pod has entered the
Running
state:kubectl get pods -n logging
Installing Fluent Bit to collect pod, service logs and node system logs
-
Install kubectl
and configure it to work with the created cluster. -
Install Helm
v3.8.0 or higher. -
Download the Fluent Bit configuration file named systemd.yaml
. -
To install a Helm chart
with Fluent Bit, run this command:cat key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \ helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/fluent-bit/fluent-bit \ --version 2.1.7-3 \ --untar && \ helm install -f <systemd.yaml_file_path>\ --namespace <namespace> \ --create-namespace \ --set loggingGroupId=<log_group_ID> \ --set loggingFilter=<cluster_ID> \ --set-file auth.json=key.json \ fluentbit ./fluent-bit/
For the current version of the Helm chart, see this Yandex Cloud Marketplace page.
This command will create a new namespace required for Fluent Bit.
Note
If you are using a Helm version below 3.8.0, append the
export HELM_EXPERIMENTAL_OCI=1 && \
string to the command to enable Open Container Initiative (OCI) support in the Helm client.
-
Install kubectl
and configure it to work with the created cluster. -
Create the objects required for Fluent Bit to run:
kubectl create namespace logging && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \ kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml
-
Create a secret containing the key of the service account for Cloud Logging you created earlier:
kubectl create secret generic secret-key-json \ --from-file=key.json \ --namespace logging
-
Download the Fluent Bit configuration file named config.yaml
. -
Specify the ID of the previously created log group in the
[OUTPUT]
sections of theconfig.yaml
file:... output-elasticsearch.conf: | [OUTPUT] Name yc-logging Match kube.* group_id <log_group_ID> resource_type {kubernetes/namespace_name} resource_id {kubernetes/pod_name} stream_name {kubernetes/host} message_key log level_key severity default_level INFO authorization iam-key-file:/etc/secret/key.json [OUTPUT] Name yc-logging Match host.* group_id <log_group_ID> resource_type systemd resource_id {_SYSTEMD_UNIT} stream_name {_HOSTNAME} message_key MESSAGE level_key SEVERITY default_level INFO authorization iam-key-file:/etc/secret/key.json ...
You can request the log group ID with the list of log groups in the folder.
Specify additional settings
for Fluent Bit, if required. -
Create Fluent Bit objects:
kubectl apply -f config.yaml
Result:
configmap/fluent-bit-config created daemonset.apps/fluent-bit created
-
Make sure the Fluent Bit pod has entered the
Running
state:kubectl get pods -n logging
Check the result
Test the transfer of logs of Managed Service for Kubernetes pods and services to your Cloud Logging log group.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:
- Delete the Managed Service for Kubernetes cluster.
- If you reserved a static public IP address for your Managed Service for Kubernetes cluster, release and delete it.
- Delete the created subnets and networks.
- Delete service accounts you created.
- Delete the log group.
-
In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.
-
Delete the
k8s-cluster-with-log-group.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
k8s-cluster-with-log-group.tf
configuration file will be deleted. -