gpt4 book ai didi

logging - 如何为 RBAC 配置 fluentd daemonset

转载 作者:行者123 更新时间:2023-12-05 00:13:50 27 4
gpt4 key购买 nike

问题

fluentd 守护进程 list 在 Kubernetes Logging with Fluentd如果启用 RBAC,将导致授权错误。

$ kubectl logs fluentd-4nzv7 -n kube-system
2018-01-06 11:28:10 +0000 [info]: reading config file path="/fluentd/etc/fluent.conf"
2018-01-06 11:28:10 +0000 [info]: starting fluentd-0.12.33
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '1.10.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '0.29.0'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-record-reformer' version '0.9.1'
2018-01-06 11:28:10 +0000 [info]: gem 'fluent-plugin-secure-forward' version '0.4.5'
2018-01-06 11:28:10 +0000 [info]: gem 'fluentd' version '0.12.33'
2018-01-06 11:28:10 +0000 [info]: adding match pattern="fluent.**" type="null"
2018-01-06 11:28:10 +0000 [info]: adding filter pattern="kubernetes.**" type="kubernetes_metadata"
2018-01-06 11:28:11 +0000 [info]: adding match pattern="**" type="elasticsearch"
2018-01-06 11:28:11 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error="Exception encountered fetching metadata from Kubernetes API endpoint: pods is forbidden: User \"system:serviceaccount:kube-system:default\" cannot list pods at the cluster scope ({\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\\"system:serviceaccount:kube-system:default\\\" cannot list pods at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}\n)"
2018-01-06 11:28:11 +0000 [info]: process finished code=256
2018-01-06 11:28:11 +0000 [warn]: process died within 1 second. exit.

最佳答案

当你定义你的守护进程时,你也可以定义你的 RBAC。

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: fluentd-service-account
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluentd-service-account
subjects:
- kind: ServiceAccount
name: fluentd-service-account
namespace: kube-system

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: fluentd-service-account
namespace: kube-system
rules:
- apiGroups: ["*"]
resources:
- pods
- namespaces
verbs:
- get
- watch
- list

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluentd-service-account
namespace: kube-system

Source.

关于logging - 如何为 RBAC 配置 fluentd daemonset,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48127275/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com