...
Setup AWS IAM OIDC Provider
To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL. Prior to creating AWS policy and role, you need to setup Identity Provider using EKS cluster's OpenID Connect Provider URL.
Login to AWS Management Console, go to EKS > Clusters > Your Cluster Name.
On Overview tab, section Details, click on the copy button under OpenID Connect Provider URL to copy the URL to the clipboard.
Go to IAM > Identity Providers.
Add an Identity Provider and select OpenID Connect.
Paste the copied URL as Provider URL.
Enter "sts.amazonaws.com" as Audience.
Click Add Provider and proceed to complete the Identity Providers creation
Setup AWS IAM Policy and Role
...
Go to IAM > Roles > Your Role Name.
On the Trust relationship tab, edit trust policy.
Edit the "StringEquals" field to use the Fluent-bit's namespace and Service Account Name, as below:
Code Block { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::211006581866:oidc-provider/oidc.eks.ap-southeast-2.amazonaws.com/id/360F8C7227656FC5627D5DA70F181583" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.ap-southeast-2.amazonaws.com/id/360F8C7227656FC5627D5DA70F181583:sub": "system:serviceaccount:<Fluent-bit namespace>:<fluent-bit Service Account Name>" } } } ] }
Install Fluent-bit
To stream container logs to CloudWatch Logs, install AWS for Fluent-bit:
Create a namespace called amazon-cloudwatch with the following command:
Code Block kubectl create namespace amazon-cloudwatch
Create a ConfigMap called fluent-bit-cluster-info and replace my-cluster-name and my-cluster-region with your cluster's name and Region, as below:
Code Block ClusterName=<my-cluster-name> RegionName=<my-cluster-region> FluentBitHttpPort='2020' FluentBitReadFromHead='Off' [[ ${FluentBitReadFromHead} = 'On' ]] && FluentBitReadFromTail='Off'|| FluentBitReadFromTail='On' [[ -z ${FluentBitHttpPort} ]] && FluentBitHttpServer='Off' || FluentBitHttpServer='On' kubectl create configmap fluent-bit-cluster-info \ --from-literal=cluster.name=${ClusterName} \ --from-literal=http.server=${FluentBitHttpServer} \ --from-literal=http.port=${FluentBitHttpPort} \ --from-literal=read.head=${FluentBitReadFromHead} \ --from-literal=read.tail=${FluentBitReadFromTail} \ --from-literal=logs.region=${RegionName} -n amazon-cloudwatch
Deploy the Fluent-bit DaemonSet to the cluster with the following command:
Code Block kubectl apply -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
Associate the IAM role to cloudwatch-agent and fluent-bit service accounts and replace ACCOUNT_ID and IAM_ROLE_NAME with AWS Account ID and the IAM role used for service accounts with the following command:
Code Block kubectl annotate serviceaccounts fluent-bit -n amazon-cloudwatch "eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
Go to CloudWatch > View logs and verify that the following log groups have been created:
Code Block /aws/containerinsights/Your Cluster Name/application /aws/containerinsights/Your Cluster Name/dataplane /aws/containerinsights/Your Cluster Name/host
For each log group, verify there are log streams available in the Log stream tab.
Install Elastic Search
Elastic search will be installed to the same namespace as Fluent-bit, i.e., amazon-cloudwatch.
...
Get the service name of the Elastic Search pods with the following command:
Code Block kubectl get svc -n amazon-cloudwatch
This service name is the value set to Host in [OUTPUT] directive.
Get username and password credential for Elastic X-Pack access. with the following commands:
Code Block kubectl get secrets --namespace=amazon-cloudwatch elasticsearch-master-credentials -ojsonpath='{.data.username}' | base64 -d
Code Block kubectl get secrets --namespace=amazon-cloudwatch elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
The decrypted username and password are the values set to HTTP_User and HTTP_Passwd in [OUTPUT] directive.
Download the fluent-bit deamonset yaml file into a local directory with the following command:
Code Block curl https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml > fluent-bit.yaml
Edit the fluent-bit.yaml file by going to the ConfigMap named fluent-bit-config, and for each config file, add the output directive to send logs to Elastic Search, as below:
application-log.conf
Code Block [OUTPUT] Name es Match application.* Host elasticsearch-master tls on tls.verify off HTTP_User elastic HTTP_Passwd DbrfdbnzCNYympQZ Suppress_Type_Name On Index fluentbit.app
dataplane-log.conf
Code Block [OUTPUT] Name es Match dataplane.* Host elasticsearch-master tls on tls.verify off HTTP_User elastic HTTP_Passwd DbrfdbnzCNYympQZ Suppress_Type_Name On Index fluentbit.dataplane
host-log.conf
Code Block [OUTPUT] Name es Match host.* Host elasticsearch-master tls on tls.verify off HTTP_User elastic HTTP_Passwd DbrfdbnzCNYympQZ Suppress_Type_Name On Index fluentbit.host
Delete the existing fluent-bit pods, config map with the following command:
Code Block kubectl delete -f fluent-bit.yaml
Install and apply the new configuration to fluent-bit pods, config map with the following command:
Code Block kubectl apply -f fluent-bit.yaml
Re-associate the IAM role with the cloudwatch-agent and fluent-bit service accounts, and replace ACCOUNT_ID and IAM_ROLE_NAME with AWS Account ID and the IAM role used for service accounts with the following command:
Code Block kubectl annotate serviceaccounts fluent-bit -n amazon-cloudwatch "eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME"
Verify every Fluent-bit pod's log with the following command:
Code Block kubectl logs <fluent-bit pod name> -n amazon-cloudwatch
You should not see any error or exception if connection to Elastic Search is established successfully.
...