how to enable Simple Log Service for a registered cluster - Container Service for Kubernetes

You can enable Simple Log Service for registered clusters. This way, you can centrally manage registered clusters that are deployed across regions. This topic describes how to enable Simple Log Service for a registered cluster.

Prerequisites

An external Kubernetes cluster is registered in the Container Service for Kubernetes (ACK) console. For more information, see Create a registered cluster.
A kubectl client is connected to the registered cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Step 1: Grant RAM permissions to logtail-ds

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to grant Resource Access Management (RAM) permissions to logtail-ds:

onectl ram-user grant --addon logtail-ds

Expected output:

Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.

Use the console

Before you install a component in the registered cluster, you must set the AccessKey pair to grant the registered cluster the permissions to access Alibaba Cloud resources. Before you set the AccessKey pair, you must create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

Create a RAM user. For more information, see Create a RAM user.

Create a custom policy and add the following content to the policy. For more information, see Create custom policies.

Show sample code

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:DeleteProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:UpdateLogStore",
                "log:DeleteLogStore",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:GetConfig",
                "log:DeleteConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:GetMachineGroup",
                "log:DeleteMachineGroup",
                "log:ApplyConfigToGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:RemoveConfigFromMachineGroup",
                "log:CreateIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:DeleteIndex",
                "log:CreateSavedSearch",
                "log:GetSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteSavedSearch",
                "log:CreateDashboard",
                "log:GetDashboard",
                "log:UpdateDashboard",
                "log:DeleteDashboard",
                "log:CreateJob",
                "log:GetJob",
                "log:DeleteJob",
                "log:UpdateJob",
                "log:PostLogStoreLogs",
                "log:CreateSortedSubStore",
                "log:GetSortedSubStore",
                "log:ListSortedSubStore",
                "log:UpdateSortedSubStore",
                "log:DeleteSortedSubStore",
                "log:CreateApp",
                "log:UpdateApp",
                "log:GetApp",
                "log:DeleteApp",
                "cs:DescribeTemplates",
                "cs:DescribeTemplateAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]

Attach the policy to the RAM user. For more information, see Grant permissions to a RAM user.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
Run the following command to create the Secret. The Logtail component uses the Secret.
```
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
Note
Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install logtail-ds

Use onectl

Run the following command to install logtail-ds:

onectl addon install logtail-ds

Expected output:

Addon logtail-ds, version **** installed.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.
On the Add-ons page, click the Logs and Monitoring tab, find the logtail-ds component, and then click Install.
In the Note dialog box, click OK.

(Optional) Step 3: Configure log output collection for all pods

Text logs

To collect the text logs of all pods, you need to use kubectl to connect to the registered cluster and deploy the following AliyunLogConfig.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  name: test-file                  # The name of the resource. The name must be unique in the current Kubernetes cluster.
spec:
  project: k8s-log-c326bc86****    # Optional. The custom project name. We recommend that you name the project in the format of <k8s-log-custer ID>.
  logstore: test-file              # Required. The name of the Logstore. If no Logstore exists, Simple Log Service automatically creates a Logstore.
  logtailConfig:                   # The Logtail configuration.
    inputType: file                # The type of the data source. Valid values: file and plugin. The value file specifies text logs. The value plugin specifies stdout.
    configName: test-file          # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name.
    inputDetail:                   # The details of the Logtail configuration.
      logType: common_reg_log      # Collect text logs in simple mode.
      logPath: /log/               # The path of the log file.
      filePattern: "*.log"         # The name of the log file. The name can contain asterisks (*) and question marks (?). Example: log_*.log.
      dockerFile: true             # Specify whether to collect logs from docker containers.
      advanced:                    # Specify conditions to filter containers.
        k8s:
          K8sNamespaceRegex: ^(default)$
          K8sPodRegex: '^(nginx-log-demo.*)$'
          K8sContainerRegex: ^(nginx-log-demo-0)$
          IncludeK8sLabel:
            job-name: "^(nginx-log-demo.*)$"

For information about more parameters, see Logtail configurations.

Stdout

To collect the standard output (stdout) of all pods, you need to use kubectl to connect to the registered cluster and deploy the following AliyunLogConfig. After the AliyunLogConfig is deployed, a Logstore named stdout-logstore is automatically created.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # your config name, must be unique in you k8s cluster.
  name: stdout-collector
spec:
  # logstore name to upload log.
  logstore: stdout-logstore
  # logtail config detail
  logtailConfig:
    # docker stdout's input type is 'plugin'.
    inputType: plugin
    # logtail config name, should be same with [metadata.name].
    configName: stdout-collector
    inputDetail:
      plugin:
        inputs:
          -
            type: service_docker_stdout
            detail:
              # collect stdout and stderr
              Stdout: true
              Stderr: true
              # collect all container's stdout except containers with "COLLECT_STDOUT_FLAG:false" in docker env config.

Step 4: Configure Simple Log Service

For more information about how to configure Simple Log Service when you create an application, see Step 2: Configure Log Service when you create an application.
For more information about how to collect Ingress logs, see Analyze and monitor the access log of nginx-ingress-controller.