k8s 使用filebeat收集所有容器标准输出的日志
k8s-filebeat收集所有容器标准输出的日志
1. k8s-收集所有容器标准输出的日志
- filebeat-kubernetes.yaml # 采集所有容器标准输出
- app-log-stdout.yaml # 标准输出测试应用
- app-log-logfile.yaml # 日志文件测试应用
1.1 filebeat-kubernetes 配置文件
-
filebeat-kubernetes采集示意图
- 针对标准输出:以DaemonSet方式在每个Node上部署一个日志收集程序,采集/var/lib/docker/containers/目录下所有容器日志
-
示例filebeat-kubernetes.yaml配置文件
--- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-config namespace: ops labels: k8s-app: filebeat data: filebeat.yml: |- filebeat.config: inputs: # Mounted `filebeat-inputs` configmap: path: ${path.config}/inputs.d/*.yml # Reload inputs configs as they change: reload.enabled: false modules: path: ${path.config}/modules.d/*.yml # Reload module configs as they change: reload.enabled: false output.elasticsearch: hosts: ['49.65.125.91:9200'] --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-inputs namespace: ops labels: k8s-app: filebeat data: kubernetes.yml: |- - type: docker containers.ids: - "*" processors: - add_kubernetes_metadata: in_cluster: true --- apiVersion: apps/v1 kind: DaemonSet metadata: name: filebeat namespace: ops labels: k8s-app: filebeat spec: selector: matchLabels: k8s-app: filebeat template: metadata: labels: k8s-app: filebeat spec: serviceAccountName: filebeat terminationGracePeriodSeconds: 30 containers: - name: filebeat image: elastic/filebeat:7.9.2 args: [ "-c", "/etc/filebeat.yml", "-e", ] securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true resources: limits: memory: 200Mi requests: cpu: 100m memory: 100Mi volumeMounts: - name: config mountPath: /etc/filebeat.yml readOnly: true subPath: filebeat.yml - name: inputs mountPath: /usr/share/filebeat/inputs.d readOnly: true - name: data mountPath: /usr/share/filebeat/data - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: config configMap: defaultMode: 0600 name: filebeat-config - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: inputs configMap: defaultMode: 0600 name: filebeat-inputs # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart - name: data hostPath: path: /var/lib/filebeat-data type: DirectoryOrCreate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat subjects: - kind: ServiceAccount name: filebeat namespace: ops roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: filebeat labels: k8s-app: filebeat rules: - apiGroups: [""] # "" indicates the core API group resources: - namespaces - pods verbs: - get - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: ops labels: k8s-app: filebeat -
可视化展示日志:
1.查看索引(日志记录集合):Management -> Stack Management -> 索引管理
2.将索引关联到Kibana:索引模式-> 创建-> 匹配模式-> 选择时间戳
3.在Discover选择索引模式查看日志
-
图示
1.2 日志文件输出
-
日志文件输出架构图解
- 针对容器中日志文件:在Pod中增加一个容器运行日志采集器,使用emtyDir共享日志目录让日志采集器读取到日志文件
2. 操作案例
-
编写filebeat-kubernetes.yaml配置文件
[root@k8s-master elk]# vim filebeat-kubernetes.yaml [root@k8s-master elk]# cat filebeat-kubernetes.yaml --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-config namespace: ops labels: k8s-app: filebeat data: filebeat.yml: |- filebeat.config: inputs: # Mounted `filebeat-inputs` configmap: path: ${path.config}/inputs.d/*.yml # Reload inputs configs as they change: reload.enabled: false modules: path: ${path.config}/modules.d/*.yml # Reload module configs as they change: reload.enabled: false output.elasticsearch: hosts: ['127.0.0.1:9200'] username: "admin" password: "12345678" --- apiVersion: v1 kind: ConfigMap metadata: name: filebeat-inputs namespace: ops labels: k8s-app: filebeat data: kubernetes.yml: |- - type: docker containers.ids: - "*" processors: - add_kubernetes_metadata: in_cluster: true --- apiVersion: apps/v1 kind: DaemonSet metadata: name: filebeat namespace: ops labels: k8s-app: filebeat spec: selector: matchLabels: k8s-app: filebeat template: metadata: labels: k8s-app: filebeat spec: serviceAccountName: filebeat terminationGracePeriodSeconds: 30 containers: - name: filebeat image: elastic/filebeat:7.10.1 args: [ "-c", "/etc/filebeat.yml", "-e", ] securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true resources: limits: memory: 200Mi requests: cpu: 100m memory: 100Mi volumeMounts: - name: config mountPath: /etc/filebeat.yml readOnly: true subPath: filebeat.yml - name: inputs mountPath: /usr/share/filebeat/inputs.d readOnly: true - name: data mountPath: /usr/share/filebeat/data - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: config configMap: defaultMode: 0600 name: filebeat-config - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: inputs configMap: defaultMode: 0600 name: filebeat-inputs # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart - name: data hostPath: path: /var/lib/filebeat-data type: DirectoryOrCreate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat subjects: - kind: ServiceAccount name: filebeat namespace: ops roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: filebeat labels: k8s-app: filebeat rules: - apiGroups: [""] # "" indicates the core API group resources: - namespaces - pods verbs: - get - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: ops labels: k8s-app: filebeat -
运行配置
[root@k8s-master elk]# kubectl create namespace ops namespace/ops created [root@k8s-master elk]# kubectl apply -f filebeat-kubernetes.yaml configmap/filebeat-config created configmap/filebeat-inputs created daemonset.apps/filebeat created clusterrolebinding.rbac.authorization.k8s.io/filebeat unchanged clusterrole.rbac.authorization.k8s.io/filebeat unchanged serviceaccount/filebeat created -
查看运行配置
[root@k8s-master elk]# kubectl get pods -n ops NAME READY STATUS RESTARTS AGE filebeat-dmbzg 1/1 Running 0 24m [root@k8s-master elk]# kubectl logs -f filebeat-dmbzg -n ops -
查看kibana是否有索引
3. 可视化展示数据
- 可视化展示数据
-
创建索引
-
查看索引数据
4. 验证日志输出
-
创建nginx服务
[root@k8s-master elk]# kubectl run nginx --image=nginx -
请求nginx,得到日志数据
[root@k8s-master elk]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 33h tomcat 1/1 Running 0 33h web-5df8b97c79-hksfc 1/1 Running 0 3d3h [root@k8s-master elk]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx 1/1 Running 0 33h 10.244.85.196 k8s-node01 <none> <none> tomcat 1/1 Running 0 33h 10.244.85.197 k8s-node01 <none> <none> web-5df8b97c79-hksfc 1/1 Running 0 3d3h 10.244.85.195 k8s-node01 <none> <none> [root@k8s-master elk]# curl -I 10.244.85.196 HTTP/1.1 200 OK Server: nginx/1.21.1 Date: Thu, 08 Jul 2021 14:13:02 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT Connection: keep-alive ETag: "60e46fc5-264" Accept-Ranges: bytes [root@k8s-master elk]# curl -I 10.244.85.196 HTTP/1.1 200 OK Server: nginx/1.21.1 Date: Thu, 08 Jul 2021 14:13:04 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT Connection: keep-alive ETag: "60e46fc5-264" Accept-Ranges: bytes -
查看输出日志
[root@k8s-master elk]# kubectl logs nginx 10.244.235.192 - - [07/Jul/2021:05:15:13 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.235.192 - - [07/Jul/2021:05:15:18 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.235.192 - - [08/Jul/2021:14:08:55 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.235.192 - - [08/Jul/2021:14:08:57 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.235.192 - - [08/Jul/2021:14:13:02 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0" "-" 10.244.235.192 - - [08/Jul/2021:14:13:04 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0" "-" -
kibana验证nginx数据是否被收集
