Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to configure fluentd daemonset for RBAC

Tags:

logging

kubernetes

fluentd

Issue

The fluentd daemonset manifest in Kubernetes Logging with Fluentd will cause an authorization error if RBAC is enabled.

$ kubectl logs fluentd-4nzv7 -n kube-system
2018-01-06 11:28:10 +0000 [info]: reading config file path="/fluentd/etc/fluent.conf"
2018-01-06 11:28:10 +0000 [info]: starting fluentd-0.12.33
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '1.10.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '0.29.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-record-reformer' version '0.9.1'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-secure-forward' version '0.4.5'
2018-01-06 11:28:10 +0000 [info]: gem 'fluentd' version '0.12.33'
2018-01-06 11:28:10 +0000 [info]: adding match pattern="fluent.**" type="null"
2018-01-06 11:28:10 +0000 [info]: adding filter pattern="kubernetes.**" type="kubernetes_metadata"
2018-01-06 11:28:11 +0000 [info]: adding match pattern="**" type="elasticsearch"
2018-01-06 11:28:11 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error="Exception encountered fetching metadata from Kubernetes API endpoint: pods is forbidden: User \"system:serviceaccount:kube-system:default\" cannot list pods at the cluster scope ({\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\"system:serviceaccount:kube-system:default\\\" cannot list pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\n)"
2018-01-06 11:28:11 +0000 [info]: process finished code=256
2018-01-06 11:28:11 +0000 [warn]: process died within 1 second. exit.
like image 523
mon Avatar asked Jan 28 '23 22:01

mon

1 Answers

When you are defining your daemonset you can also define your RBAC.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: fluentd-service-account
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluentd-service-account
subjects:
- kind: ServiceAccount
  name: fluentd-service-account
  namespace: kube-system

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: fluentd-service-account
  namespace: kube-system
rules:
  - apiGroups: ["*"]
    resources:
      - pods
      - namespaces
    verbs:
      - get
      - watch
      - list

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: fluentd-service-account
  namespace: kube-system

Source.

like image 99
j.davies Avatar answered Feb 06 '23 15:02

j.davies
Sign in to Comment

Related questions

How to log SQL queries, their parameters and results with Log4jdbc in Spring Boot projects?
Python logging format: how to print only the last part of logger name?
Swift: OSLog/os_log not showing up in console app
How to suppress third party logs in pytest
IIS log files and load balancer?
Advice for minimizing locking on an append only table in MS SQL Server?
commons-logging config: use SimpleLog & set debug level
Logging to files or to event viewer?
How does SVN store commit time?
Python/django root logger level
Logging design pattern in a Zend framework application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!