Introduction to Setting Up Fluent-bit in EKS
Effective log management is crucial for maintaining application performance and troubleshooting issues in today’s cloud-native world. Amazon Elastic Kubernetes Service (EKS) simplifies the deployment and management of containerized applications, but to harness its full potential, integrating logging solutions like Fluent-bit with Amazon CloudWatch is essential. Fluent-bit is a lightweight and efficient log processor that forwards logs from your EKS clusters to CloudWatch. This blog post will guide you through deploying Fluent-bit as a DaemonSet in EKS for seamless CloudWatch logs integration.
Overview of the Article and Purpose of Fluent-bit in Logging
This article provides a step-by-step guide for deploying Fluent-bit in an EKS cluster, focusing on integrating it with Amazon CloudWatch. Fluent-bit is widely used for collecting, processing, and forwarding logs. In an EKS environment, deploying Fluent-bit as a DaemonSet ensures that a Fluent-bit pod runs on each node in the cluster, continuously collecting logs and sending them to CloudWatch for centralized monitoring and analysis.
Prerequisites and Initial Setup
Before we dive into the deployment process, ensure that you have the following prerequisites:
- An existing Amazon EKS cluster.
- kubectl and eksctl installed and configured on your local machine.
- AWS CLI configured with appropriate permissions.
- IAM permissions to create roles and service accounts.
- Basic knowledge of Kubernetes and Fluent-bit.
Creating the amazon-cloudwatch Namespace
To organize resources related to Fluent-bit and CloudWatch integration, we’ll start by creating a dedicated namespace:
kubectl create namespace amazon-cloudwatch
Configuring Service Account and IAM Role
Fluent-bit requires the necessary AWS permissions to send logs to CloudWatch. These permissions are granted through an IAM role that we will associate with a Kubernetes service account.
Creating the Fluent-bit Service Account and Attaching the Correct IAM Role
First, create a service account in the amazon-cloudwatch namespace:
kubectl create serviceaccount fluent-bit -n amazon-cloudwatch
IAM Role Creation and Configuration
Next, create an IAM role that Fluent-bit will assume. This role should have permissions to send logs to CloudWatch:
aws iam create-role –role-name FluentBitRole –assume-role-policy-document file://trust-policy.json
Establishing Trust Relationship and Permissions for Fluent-bit
Create a trust policy (saved as trust-policy.json) that allows EKS to assume this role:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “eks.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}
Attach the required policies to the role:
aws iam attach-role-policy –role-name FluentBitRole –policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
Finally, associate the IAM role with the Kubernetes service account using eksctl:
eksctl create iamserviceaccount \
–name fluent-bit \
–namespace amazon-cloudwatch \
–cluster <your-cluster-name> \
–attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
–approve \
–override-existing-serviceaccounts
Deploying Fluent-bit Using eksctl
Simplifying Deployment with eksctl Commands
Using eksctl, we can streamline the deployment process. Ensure that the IAM role is attached to the service account, and then proceed to deploy Fluent-bit.
Configuring Fluent-bit Cluster Information
Fluent-bit needs configuration details to know where to send logs. This configuration is stored in a ConfigMap, which includes parameters such as log format, AWS region, and log group name.
Understanding and Creating the ConfigMap for Fluent-bit
Create a ConfigMap with the necessary Fluent-bit configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
namespace: amazon-cloudwatch
data:
fluent-bit.conf: |
[SERVICE]
Flush 1
Log_Level info
[OUTPUT]
Name cloudwatch_logs
Match *
region <your-region>
log_group_name fluent-bit-cloudwatch
log_stream_prefix from-fluent-bit-
Apply the ConfigMap:
kubectl apply -f fluent-bit-config.yaml
Deploying Fluent-bit DaemonSet
Applying the Fluent-bit DaemonSet Configuration
With the ConfigMap in place, deploy the Fluent-bit DaemonSet:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluent-bit
namespace: amazon-cloudwatch
spec:
selector:
matchLabels:
app: fluent-bit
template:
metadata:
labels:
app: fluent-bit
spec:
serviceAccountName: fluent-bit
containers:
– name: fluent-bit
image: fluent/fluent-bit:latest
volumeMounts:
– name: varlog
mountPath: /var/log
– name: config
mountPath: /fluent-bit/etc
env:
– name: FLUENT_ELASTICSEARCH_HOST
value: “elasticsearch”
volumes:
– name: varlog
hostPath:
path: /var/log
– name: config
configMap:
name: fluent-bit-config
Apply the DaemonSet configuration:
kubectl apply -f fluent-bit-daemonset.yaml
Verifying Fluent-bit Deployment
Checking Pod Status and Accessing Logs
After deploying the DaemonSet, verify that the Fluent-bit pods are running on each node:
kubectl get pods -n amazon-cloudwatch -o wide
You can also check the logs from the Fluent-bit pods to ensure that they are processing logs correctly:
kubectl logs <fluent-bit-pod-name> -n amazon-cloudwatch
Monitoring and Management in CloudWatch
Navigating CloudWatch Console and Verifying Log Groups
Once Fluent-bit is up and running, navigate to the CloudWatch console in the AWS Management Console. Verify that the log groups and streams have been created per your configuration. You can now monitor and analyze the logs from your EKS cluster in real time using CloudWatch.
Conclusion
Deploying Fluent-bit as a DaemonSet in your EKS cluster is a powerful way to centralize log management and gain visibility into your applications. Integrating Fluent-bit with CloudWatch ensures that logs from all your nodes are efficiently collected and stored for future analysis and monitoring. This setup not only simplifies log management but also enhances the overall observability of your EKS environment.
References
Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs