apiVersion: apps/v1 kind: DaemonSet metadata: name: fluentd namespace: monitoring labels: k8s-app: fluentd-logzio version: v1 spec: selector: matchLabels: k8s-app: fluentd-logzio template: metadata: labels: k8s-app: fluentd-logzio version: v1 spec: serviceAccount: fluentd serviceAccountName: fluentd tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule # Because the image's entrypoint requires to write on /fluentd/etc but we mount configmap there which is read-only, # this initContainers workaround or other is needed. # See https://github.com/fluent/fluentd-kubernetes-daemonset/issues/90 initContainers: - name: copy-fluentd-config image: busybox command: ['sh', '-c', 'cp /config-volume/..data/* /fluentd/etc'] volumeMounts: - name: config-volume mountPath: /config-volume - name: fluentdconf mountPath: /fluentd/etc containers: - name: fluentd image: logzio/logzio-openshift:0.0.1 securityContext: privileged: true env: - name: LOGZIO_LOG_SHIPPING_TOKEN valueFrom: secretKeyRef: name: logzio-logs-secret key: logzio-log-shipping-token - name: LOGZIO_LOG_LISTENER valueFrom: secretKeyRef: name: logzio-logs-secret key: logzio-log-listener - name: FLUENTD_SYSTEMD_CONF value: "disable" - name: FLUENTD_PROMETHEUS_CONF value: "disable" resources: limits: memory: 200Mi requests: cpu: 100m memory: 200Mi volumeMounts: - name: varlog mountPath: /var/log - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true - name: config-volume mountPath: /config-volume - name: fluentdconf mountPath: /fluentd/etc terminationGracePeriodSeconds: 30 volumes: - name: varlog hostPath: path: /var/log - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: config-volume configMap: name: fluentd-config - name: fluentdconf emptyDir: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: fluentd namespace: monitoring --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: fluentd rules: - verbs: - get - list - watch apiGroups: - '' resources: - pods - namespaces --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: fluentd subjects: - kind: ServiceAccount name: fluentd namespace: monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: fluentd --- apiVersion: v1 kind: ConfigMap metadata: name: fluentd-config namespace: monitoring labels: k8s-app: fluentd-logzio data: fluent.conf: | @include "#{ENV['FLUENTD_SYSTEMD_CONF'] || 'systemd'}.conf" @include "#{ENV['FLUENTD_PROMETHEUS_CONF'] || 'prometheus'}.conf" @include kubernetes.conf @include system.conf @include conf.d/*.conf @type logzio_buffered @id out_logzio endpoint_url "#{ENV['LOGZIO_LOG_LISTENER']}?token=#{ENV['LOGZIO_LOG_SHIPPING_TOKEN']}" output_include_time true output_include_tags true # Set the buffer type to file to improve the reliability and reduce the memory consumption @type "#{ENV['LOGZIO_BUFFER_TYPE']}" path "#{ENV['LOGZIO_BUFFER_PATH']}" # Set queue_full action to block because we want to pause gracefully # in case of the off-the-limits load instead of throwing an exception overflow_action "#{ENV['LOGZIO_OVERFLOW_ACTION']}" # Set the chunk limit conservatively to avoid exceeding the GCL limit # of 10MiB per write request. chunk_limit_size "#{ENV['LOGZIO_CHUNK_LIMIT_SIZE']}" # Cap the combined memory usage of this buffer and the one below to # 2MiB/chunk * (6 + 2) chunks = 16 MiB queue_limit_length "#{ENV['LOGZIO_QUEUE_LIMIT_LENGTH']}" # Never wait more than 5 seconds before flushing logs in the non-error case. flush_interval "#{ENV['LOGZIO_FLUSH_INTERVAL']}" # Never wait longer than 30 seconds between retries. retry_max_interval "#{ENV['LOGZIO_RETRY_MAX_INTERVAL']}" # Disable the limit on the number of retries (retry forever). retry_forever "#{ENV['LOGZIO_RETRY_FOREVER']}" # Use multiple threads for processing. flush_thread_count "#{ENV['LOGZIO_FLUSH_THREAD_COUNT']}" kubernetes.conf: | # container logs @type tail @id in_tail_container_logs path "/var/log/containers/*.log" pos_file "/var/lib/fluentd/pos/containers.log.pos" exclude_path ["/var/log/containers/fluentd*.log", "/var/log/containers/*openshift*.log"] refresh_interval 5 rotate_wait 5 tag logzio.kubernetes.* read_from_head "true" @type multi_format format json time_format '%Y-%m-%dT%H:%M:%S.%N%Z' keep_time_key true format regexp expression /^(? # The following section is for audit logs. You can uncomment it if you wish to send audit logs. # Please note that the cluster produces a massive amount of audit logs, which can increase dramatically your log volume. # # k8s audit logs # # @type tail # @id in_tail_k8s_audit # path "/var/log/kube-apiserver/audit.log" # pos_file "/var/lib/fluentd/pos/kube-apiserver.audit.log.pos" # tag logzio.k8s-audit # # @type json # # # # Openshift audit logs # # @type tail # @id in_tail_openshift_audit # path /var/log/oauth-apiserver/audit.log,/var/log/openshift-apiserver/audit.log # pos_file /var/lib/fluentd/pos/oauth-apiserver.audit.log # tag logzio.openshift-audit # # @type json # # # # Openshift Virtual Network (OVN) audit logs # # @type tail # @id in_tail_ovn_audit # path "/var/log/ovn/acl-audit-log.log" # pos_file "/var/lib/fluentd/pos/acl-audit-log.pos" # tag logzio.ovn-audit # refresh_interval 5 # rotate_wait 5 # read_from_head true # # @type none # # # # linux audit logs # # @type tail # @id in_linux_audit # path "/var/log/audit/audit.log" # pos_file "/var/lib/fluentd/pos/audit.log.pos" # tag logzio.linux-audit # # @type none # # # # This handles linux audit logs # # @type parse_audit_log # key message # flatten false # # This handles multiline exceptions automatically: https://github.com/GoogleCloudPlatform/fluent-plugin-detect-exceptions @type detect_exceptions remove_tag_prefix logzio message log languages all multiline_flush_interval 0.1 # This adds type to the log && change key log to message @type record_modifier type openshift message ${record["log"]} remove_keys log @type kubernetes_metadata @id filter_kube_metadata kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}" verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}" system.conf: | log_level "#{ENV['LOGZIO_LOG_LEVEL']}" systemd.conf: | # Logs from systemd-journal for interesting services. @type systemd @id in_systemd_kubelet filters [{ "_SYSTEMD_UNIT": "kubelet.service" }] @type local persistent true path /var/log/fluentd-journald-kubelet-cursor.json read_from_head true tag kubelet # Logs from docker-systemd @type systemd @id in_systemd_docker filters [{ "_SYSTEMD_UNIT": "docker.service" }] @type local persistent true path /var/log/fluentd-journald-docker-cursor.json read_from_head true tag docker.systemd # Logs from systemd-journal for interesting services. @type systemd @id in_systemd_bootkube filters [{ "_SYSTEMD_UNIT": "bootkube.service" }] @type local persistent true path /var/log/fluentd-journald-bootkube-cursor.json read_from_head true tag bootkube