how to integrate simple log service with registered clusters - Container Service for Kubernetes

Integrating Simple Log Service (SLS) with registered clusters provides a unified management approach for Kubernetes clusters across different locations. This topic describes how to integrate Simple Log Service with registered clusters using an application in Alibaba Cloud Container Service for Kubernetes.

Prerequisites

An ACK One registered cluster is created, and a self-managed Kubernetes cluster in your data center is connected to the ACK One registered cluster. For more information, see Create an ACK One registered cluster.
Obtain the cluster KubeConfig and connect to the registered cluster using kubectl.

Step 1: Configure RAM Permissions for Simple Log Service Components

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to configure RAM permissions for Simple Log Service components.

onectl ram-user grant --addon logtail-ds

Expected output:

Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.

Use the Console

Before installing components in the registered cluster, set up an AccessKey to grant the cluster permissions to access Alibaba Cloud services. Before setting up the AccessKey, create a RAM user and add permissions to access relevant cloud resources.

Create a RAM user.

Create a custom policy. The policy content is as follows.

Expand to View Required Permissions for Logtail Components

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:DeleteProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:UpdateLogStore",
                "log:DeleteLogStore",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:GetConfig",
                "log:DeleteConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:GetMachineGroup",
                "log:DeleteMachineGroup",
                "log:ApplyConfigToGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:RemoveConfigFromMachineGroup",
                "log:CreateIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:DeleteIndex",
                "log:CreateSavedSearch",
                "log:GetSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteSavedSearch",
                "log:CreateDashboard",
                "log:GetDashboard",
                "log:UpdateDashboard",
                "log:DeleteDashboard",
                "log:CreateJob",
                "log:GetJob",
                "log:DeleteJob",
                "log:UpdateJob",
                "log:PostLogStoreLogs",
                "log:CreateSortedSubStore",
                "log:GetSortedSubStore",
                "log:ListSortedSubStore",
                "log:UpdateSortedSubStore",
                "log:DeleteSortedSubStore",
                "log:CreateApp",
                "log:UpdateApp",
                "log:GetApp",
                "log:DeleteApp",
                "cs:DescribeTemplates",
                "cs:DescribeTemplateAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Manage RAM User Permissions.
Create an AccessKey for a RAM user.
Warning
We recommend that you configure a network policy to restrict AccessKey calls to trusted network environments. This improves the security of your AccessKey. For more information, see AccessKey network access restriction policy.
Use the AccessKey to create a Secret resource named alibaba-addon-secret in the registered cluster.
Run the following command to create the Secret that Logtail components use.
```
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
Note
<your AccessKey ID> and <your AccessKey Secret> are the AccessKey information obtained in the previous step.

Step 2: Install the logtail-ds Component

Use onectl

You can install logtail-ds by running the following command:

onectl addon install logtail-ds

Expected output:

Addon logtail-ds, version **** installed.

Use the Console

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster. Then, in the left navigation pane, click Add-ons.
On the Add-ons page, click the Logs and Monitoring tab. Find the logtail-ds component, and then click Install in the lower-right corner of its card.
In the confirmation dialog box, click OK.

(Optional) Step 3: Configure Log Output Collection for All Pods

Text Logs

To configure text logs for all pods, connect to the registered cluster using kubectl. Then, deploy the following configuration.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  name: test-file                  # The resource name, which must be unique in the current Kubernetes cluster.
spec:
  project: k8s-log-c326bc86****    # Optional. The project name. You can customize it. We recommend naming it in the format of [k8s-log-cluster ID].
  logstore: test-file              # Required. The Logstore name. If it does not exist, Simple Log Service automatically creates it.
  logtailConfig:                   # Logtail configuration.
    inputType: file                # The type of the data source. "file" indicates text logs, and "plugin" indicates standard output.
    configName: test-file          # The name of the Logtail configuration. It must be the same as the resource name (metadata.name).
    inputDetail:                   # The details of the Logtail configuration.
      logType: common_reg_log      # Collect text logs in simple mode.
      logPath: /log/               # The path where the log file is located.
      filePattern: "*.log"         # The name of the log file. It supports wildcard characters asterisk (*) and question mark (?). For example, log_*.log.
      dockerFile: true             # Collect files within containers. Set dockerFile to true.
      advanced:                    # Set container filter conditions.
        k8s:
          K8sNamespaceRegex: ^(default)$
          K8sPodRegex: '^(nginx-log-demo.*)$'
          K8sContainerRegex: ^(nginx-log-demo-0)$
          IncludeK8sLabel:
            job-name: "^(nginx-log-demo.*)$"

For more information, see Logtail Configurations (Legacy).

Standard Output

To configure standard output for all pods, connect to the registered cluster using kubectl. Then, deploy the following configuration. After a successful deployment, a Logstore named stdout-logstore is automatically created, and logs are collected in it.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # your config name, must be unique in you k8s cluster.
  name: stdout-collector
spec:
  # logstore name to upload log.
  logstore: stdout-logstore
  # logtail config detail
  logtailConfig:
    # docker stdout's input type is 'plugin'.
    inputType: plugin
    # logtail config name, should be same with [metadata.name].
    configName: stdout-collector
    inputDetail:
      plugin:
        inputs:
          -
            type: service_docker_stdout
            detail:
              # collect stdout and stderr
              Stdout: true
              Stderr: true
              # collect all container's stdout except containers with "COLLECT_STDOUT_FLAG:false" in docker env config.

Step 4: Configure Simple Log Service

For more information about configuring Simple Log Service when you create an application, see Configure Simple Log Service When Creating an Application.
For more information about collecting Ingress logs, see Collect and Analyze Nginx Ingress Access Logs.