FluentBit

aws eks create-addon --cluster-name skills-eks-cluster --addon-name eks-pod-identity-agent > /dev/null

cat <<EOF> es-policy.json { "Version": "2012-10-17", "Statement": [ { "Action": [ "es:ESHttp*" ], "Resource": "${ES_ARN}", "Effect": "Allow" } ] } EOF

aws iam create-policy --policy-name es-policy --policy-document file://es-policy.json > /dev/null

cat <<EOF> trust-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$ACCOUNT_ID:oidc-provider/$CLUSTER_OIDC" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "$CLUSTER_OIDC:sub": "system:serviceaccount:default:fluent-bit", "$CLUSTER_OIDC:aud": "sts.amazonaws.com" } } } ] } EOF

aws iam create-role --role-name es-role --assume-role-policy-document file://trust-policy.json > /dev/null

aws iam attach-role-policy --role-name es-role --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/es-policy

apiVersion: v1 kind: ServiceAccount metadata: name: fluent-bit namespace: default annotations: eks.amazonaws.com/role-arn: ROLE_ARN

sed -i "s|ROLE_ARN|$ROLE_ARN|g" fluent-bit-sa.yaml

kubectl apply -f fluent-bit-sa.yaml

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: fluent-bit-read rules: - apiGroups: [""] resources: - namespaces - pods verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: fluent-bit-read roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: fluent-bit-read subjects: - kind: ServiceAccount name: fluent-bit namespace: default

kubectl apply -f fluent-bit-rbac.yaml

apiVersion: v1 kind: ConfigMap metadata: labels: k8s-app: fluent-bit name: fluent-bit-config namespace: default data: fluent-bit.conf: | [SERVICE] Flush 1 Log_Level info Daemon off Parsers_File parsers.conf HTTP_Server On HTTP_Listen 0.0.0.0 HTTP_Port 2020 @INCLUDE input-kubernetes.conf @INCLUDE input-order-kubernetes.conf @INCLUDE input-product-kubernetes.conf @INCLUDE filter-kubernetes.conf @INCLUDE output-opensearch.conf @INCLUDE output-order-opensearch.conf @INCLUDE output-product-opensearch.conf input-kubernetes.conf: | [INPUT] Name tail Tag kube.customer.* Path /var/log/containers/customer*.log Parser docker DB /var/log/flb_kube.db Mem_Buf_Limit 5MB Skip_Long_Lines On Refresh_Interval 10 input-order-kubernetes.conf: | [INPUT] Name tail Tag kube.order.* Path /var/log/containers/order*.log Parser docker DB /var/log/flb_kube.db Mem_Buf_Limit 5MB Skip_Long_Lines On Refresh_Interval 10 input-product-kubernetes.conf: | [INPUT] Name tail Tag kube.order.* Path /var/log/containers/product*.log Parser docker DB /var/log/flb_kube.db Mem_Buf_Limit 5MB Skip_Long_Lines On Refresh_Interval 10 filter-kubernetes.conf: | [FILTER] Name kubernetes Match kube.* Kube_URL https://kubernetes.default.svc:443 Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token Merge_Log On Merge_Log_Key log_processed K8S-Logging.Parser On K8S-Logging.Exclude On output-opensearch.conf: | [OUTPUT] Name es Match kube.customer.* Host ${OPENSEARCH_ENDPOINT} Port 443 TLS On AWS_Auth On AWS_Region ${AWS_REGION} Index ${CUSTOMER_INDEX_NAME} Replace_Dots On Suppress_Type_Name On output-order-opensearch.conf: | [OUTPUT] Name es Match kube.order.* Host ${OPENSEARCH_ENDPOINT} Port 443 TLS On AWS_Auth On AWS_Region ${AWS_REGION} Index ${ORDER_INDEX_NAME} Replace_Dots On Suppress_Type_Name On output-product-opensearch.conf: | [OUTPUT] Name es Match kube.order.* Host ${OPENSEARCH_ENDPOINT} Port 443 TLS On AWS_Auth On AWS_Region ${AWS_REGION} Index ${PRODUCT_INDEX_NAME} Replace_Dots On Suppress_Type_Name On parsers.conf: | [PARSER] Name docker Format json Time_Key time Time_Format %Y-%m-%dT%H:%M:%S.%L Time_Keep On

kubectl apply -f cm.yaml

apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: fluent-bit-logging kubernetes.io/cluster-service: "true" version: v1 name: fluent-bit namespace: default spec: selector: matchLabels: k8s-app: fluent-bit-logging template: metadata: annotations: prometheus.io/path: /api/v1/metrics/prometheus prometheus.io/port: "2020" prometheus.io/scrape: "true" labels: k8s-app: fluent-bit-logging kubernetes.io/cluster-service: "true" version: v1 spec: nodeSelector: skills: app containers: - env: - name: OPENSEARCH_ENDPOINT value: ES_EP - name: AWS_REGION value: ap-northeast-2 - name: CUSTOMER_INDEX_NAME value: customer-TIME - name: ORDER_INDEX_NAME value: order-TIME - name: PRODUCT_INDEX_NAME value: product-TIME name: fluent-bit image: amazon/aws-for-fluent-bit:2.28.0 imagePullPolicy: Always ports: - containerPort: 2020 volumeMounts: - mountPath: /var/log name: varlog - mountPath: /var/lib/docker/containers name: varlibdockercontainers readOnly: true - mountPath: /fluent-bit/etc/ name: fluent-bit-config serviceAccountName: fluent-bit terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists volumes: - hostPath: path: /var/log name: varlog - hostPath: path: /var/lib/docker/containers name: varlibdockercontainers - configMap: name: fluent-bit-config name: fluent-bit-config

ES_EP=$(aws opensearch describe-domain --domain-name skills-opensearch-domain --query "DomainStatus.Endpoint" --output text) TIME=$(date -d "+9 hour" "+%Y.%m.%d")

sed -i "s|ES_EP|$ES_EP|g" daemonset.yaml sed -i "s|TIME|$TIME|g" daemonset.yaml

kubectl apply -f daemonset.yaml