如何为 RBAC 配置 fluentd 守护程序集

【问题标题】:How to configure fluentd daemonset for RBAC如何为 RBAC 配置 fluentd 守护程序集
【发布时间】:2018-01-06 12:21:11
【问题描述】:

问题

如果启用 RBAC,Kubernetes Logging with Fluentd 中的 fluentd daemonset manifest 将导致授权错误。

$ kubectl logs fluentd-4nzv7 -n kube-system
2018-01-06 11:28:10 +0000 [info]: reading config file path="/fluentd/etc/fluent.conf"
2018-01-06 11:28:10 +0000 [info]: starting fluentd-0.12.33
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '1.10.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '0.29.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-record-reformer' version '0.9.1'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-secure-forward' version '0.4.5'
2018-01-06 11:28:10 +0000 [info]: gem 'fluentd' version '0.12.33'
2018-01-06 11:28:10 +0000 [info]: adding match pattern="fluent.**" type="null"
2018-01-06 11:28:10 +0000 [info]: adding filter pattern="kubernetes.**" type="kubernetes_metadata"
2018-01-06 11:28:11 +0000 [info]: adding match pattern="**" type="elasticsearch"
2018-01-06 11:28:11 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error="Exception encountered fetching metadata from Kubernetes API endpoint: pods is forbidden: User \"system:serviceaccount:kube-system:default\" cannot list pods at the cluster scope ({\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\"system:serviceaccount:kube-system:default\\\" cannot list pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\n)"
2018-01-06 11:28:11 +0000 [info]: process finished code=256
2018-01-06 11:28:11 +0000 [warn]: process died within 1 second. exit.

【问题讨论】:

    标签: logging kubernetes fluentd


    【解决方案1】:

    当你定义你的守护进程时,你也可以定义你的 RBAC。

    apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: fluentd-service-account
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluentd-service-account
subjects:
- kind: ServiceAccount
  name: fluentd-service-account
  namespace: kube-system

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: fluentd-service-account
  namespace: kube-system
rules:
  - apiGroups: ["*"]
    resources:
      - pods
      - namespaces
    verbs:
      - get
      - watch
      - list

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: fluentd-service-account
  namespace: kube-system

    Source.

    【讨论】:

    • 连同上述更改,将以下代码添加到守护进程specs serviceAccount: fluentd-service-account serviceAccountName: fluentd-service-account
    【解决方案2】:

    Get "403 Forbidden" message when running the pod

    链接显示解决方案。

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: fluentd
  namespace: system

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: fluentd
  namespace: system
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: fluentd
roleRef:
  kind: ClusterRole
  name: fluentd
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: fluentd
  namespace: system

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: fluentd
  namespace: system
data:
  fluent.conf: |
    @include kubernetes.conf

    <match **>
       type elasticsearch
       log_level info
       include_tag_key true
       host elastic.system.svc.cluster.local
       port 9200
       user elastic
       password <...>
       logstash_format true
       buffer_chunk_limit 2M
       buffer_queue_limit 32
       flush_interval 5s
       max_retry_wait 30
       disable_retry_limit
       num_threads 8
    </match>

---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: fluentd
  namespace: system
  labels:
    k8s-app: fluentd-logging
    version: v1
    kubernetes.io/cluster-service: "true"
spec:
  template:
    metadata:
      labels:
        k8s-app: fluentd-logging
        version: v1
        kubernetes.io/cluster-service: "true"
    spec:
      serviceAccount: fluentd
      serviceAccountName: fluentd
      containers:
        - name: fluentd
          image: fluent/fluentd-kubernetes-daemonset:elasticsearch
          volumeMounts:
            - name: varlog
              mountPath: /var/log
            - name: varlibdockercontainers
              mountPath: /var/lib/docker/containers
            - name: config
              mountPath: /fluentd/etc/fluent.conf
              subPath: fluent.conf
      volumes:
        - name: varlog
          hostPath:
            path: /var/log
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers
        - name: config
          configMap:
            name: fluentd

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-04-18
      • 2021-07-16
      • 1970-01-01
      • 2019-05-05
      • 2018-07-03
      • 2016-02-07
      • 2010-10-06
      • 2019-01-10
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode