本文我们就将在 Kubernetes 集群中使用由 ElasticSearch、Kibana、Filebeat、Metricbeat 和 APM-Server 组成的 Elastic 技术栈来监控系统环境。

  • 监控指标提供系统各个组件的时间序列数据,比如 CPU、内存、磁盘、网络等信息,通常可以用来显示系统的整体状况以及检测某个时间的异常行为
  • 日志为运维人员提供了一个数据来分析系统的一些错误行为,通常将系统、服务和应用的日志集中收集在同一个数据库中
  • 追踪或者 APM(应用性能监控)提供了一个更加详细的应用视图,可以将服务执行的每一个请求和步骤都记录下来(比如 HTTP 调用、数据库查询等),通过追踪这些数据,我们可以检测到服务的性能,并相应地改进或修复我们的系统。

我们这里的试验环境是 Kubernetes v1.16.2 版本的集群,为方便管理,我们将所有的资源对象都部署在一个名为 elastic 的命名空间中:

  1. $ kubectl create ns elastic
  2. namespace/elastic created

1、搭建ES集群

要建立一个 Elastic 技术的监控栈,当然首先我们需要部署 ElasticSearch,它是用来存储所有的指标、日志和追踪的数据库,这里我们通过3个不同角色的可扩展的节点组成一个集群。

2.1 安装 ElasticSearch 主节点

设置集群的第一个节点为 Master 主节点,来负责控制整个集群。

  1. 首先创建一个 ConfigMap 对象,用来描述集群的一些配置信息,以方便将 ElasticSearch 的主节点配置到集群中并开启安全认证功能。
  2. 然后创建一个 Service 对象,在 Master 节点下,我们只需要通过用于集群通信的 9300 端口进行通信。
  3. 最后使用一个 Deployment 对象来定义 Master 节点应用。
  1. # elasticsearch-master.configmap.yaml
  2. ---
  3. apiVersion: v1
  4. kind: ConfigMap
  5. metadata:
  6.   name: elasticsearch-master-config
  7.   labels:
  8.     app: elasticsearch
  9.     role: master
  10. data:
  11.   elasticsearch.yml: |-
  12.     cluster.name: ${CLUSTER_NAME}
  13.     node.name: ${NODE_NAME}
  14.     discovery.seed_hosts: ${NODE_LIST}
  15.     cluster.initial_master_nodes: ${MASTER_NODES}
  17.     network.host: 0.0.0.0
  19.     node:
  20.       master: true
  21.       data: false
  22.       ingest: false
  24.     xpack.security.enabled: true
  25.     xpack.monitoring.collection.enabled: true
  26. ---
  27. # elasticsearch-master.service.yaml
  28. ---
  29. apiVersion: v1
  30. kind: Service
  31. metadata:
  32.   name: elasticsearch-master
  33.   labels:
  34.     app: elasticsearch
  35.     role: master
  36. spec:
  37.   ports:
  38.   - port: 9300
  39.     name: transport
  40.   selector:
  41.     app: elasticsearch
  42.     role: master
  43. ---
  44. # elasticsearch-master.deployment.yaml
  45. ---
  46. apiVersion: apps/v1
  47. kind: Deployment
  48. metadata:
  49.   name: elasticsearch-master
  50.   labels:
  51.     app: elasticsearch
  52.     role: master
  53. spec:
  54.   replicas: 1
  55.   selector:
  56.     matchLabels:
  57.       app: elasticsearch
  58.       role: master
  59.   template:
  60.     metadata:
  61.       labels:
  62.         app: elasticsearch
  63.         role: master
  64.     spec:
  65.       containers:
  66.       - name: elasticsearch-master
  67.         image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
  68.         env:
  69.         - name: CLUSTER_NAME
  70.           value: elasticsearch
  71.         - name: NODE_NAME
  72.           value: elasticsearch-master
  73.         - name: NODE_LIST
  74.           value: elasticsearch-master,elasticsearch-data,elasticsearch-client
  75.         - name: MASTER_NODES
  76.           value: elasticsearch-master
  77.         - name: "ES_JAVA_OPTS"
  78.           value: "-Xms512m -Xmx512m"
  79.         ports:
  80.         - containerPort: 9300
  81.           name: transport
  82.         volumeMounts:
  83.         - name: config
  84.           mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
  85.           readOnly: true
  86.           subPath: elasticsearch.yml
  87.         - name: storage
  88.           mountPath: /data
  89.       volumes:
  90.       - name: config
  91.         configMap:
  92.           name: elasticsearch-master-config
  93.       - name: "storage"
  94.         emptyDir:
  95.           medium: ""

注:
为何在cm中要定义kv值,且deploy文件里又定义了相同的环境变量?
为何要挂载个临时卷 /data

2.2 安装 ElasticSearch 数据节点

  1. 和 master 节点一样,我们使用一个 ConfigMap 对象来配置我们的数据节点.
  2. 可以看到和上面的 master 配置非常类似,不过需要注意的是属性 node.data=true。
  3. 同样只需要通过 9300 端口和其他节点进行通信.
  4. 最后创建一个 StatefulSet 的控制器,因为可能会有多个数据节点,每一个节点的数据不是一样的,需要单独存储,所以也使用了一个 volumeClaimTemplates 来分别创建存储卷,对应的资源清单文件如下所示:
  1. # elasticsearch-data.configmap.yaml
  2. ---
  3. apiVersion: v1
  4. kind: ConfigMap
  5. metadata:
  6.   name: elasticsearch-data-config
  7.   labels:
  8.     app: elasticsearch
  9.     role: data
  10. data:
  11.   elasticsearch.yml: |-
  12.     cluster.name: ${CLUSTER_NAME}
  13.     node.name: ${NODE_NAME}
  14.     discovery.seed_hosts: ${NODE_LIST}
  15.     cluster.initial_master_nodes: ${MASTER_NODES}
  17.     network.host: 0.0.0.0
  19.     node:
  20.       master: false
  21.       data: true
  22.       ingest: false
  24.     xpack.security.enabled: true
  25.     xpack.monitoring.collection.enabled: true
  27. # elasticsearch-data.service.yaml
  28. ---
  29. apiVersion: v1
  30. kind: Service
  31. metadata:
  32.   name: elasticsearch-data
  33.   labels:
  34.     app: elasticsearch
  35.     role: data
  36. spec:
  37.   ports:
  38.   - port: 9300
  39.     name: transport
  40.   selector:
  41.     app: elasticsearch
  42.     role: data
  43. ---
  44. # elasticsearch-data.statefulset.yaml
  45. ---
  46. apiVersion: apps/v1
  47. kind: StatefulSet
  48. metadata:
  49.   name: elasticsearch-data
  50.   labels:
  51.     app: elasticsearch
  52.     role: data
  53. spec:
  54.   serviceName: "elasticsearch-data"
  55.   selector:
  56.     matchLabels:
  57.       app: elasticsearch
  58.       role: data
  59.   template:
  60.     metadata:
  61.       labels:
  62.         app: elasticsearch
  63.         role: data
  64.     spec:
  65.       containers:
  66.       - name: elasticsearch-data
  67.         image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
  68.         env:
  69.         - name: CLUSTER_NAME
  70.           value: elasticsearch
  71.         - name: NODE_NAME
  72.           value: elasticsearch-data
  73.         - name: NODE_LIST
  74.           value: elasticsearch-master,elasticsearch-data,elasticsearch-client
  75.         - name: MASTER_NODES
  76.           value: elasticsearch-master
  77.         - name: "ES_JAVA_OPTS"
  78.           value: "-Xms1024m -Xmx1024m"
  79.         ports:
  80.         - containerPort: 9300
  81.           name: transport
  82.         volumeMounts:
  83.         - name: config
  84.           mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
  85.           readOnly: true
  86.           subPath: elasticsearch.yml
  87.         - name: elasticsearch-data-persistent-storage
  88.           mountPath: /data/db
  89.       volumes:
  90.       - name: config
  91.         configMap:
  92.           name: elasticsearch-data-config
  93.   volumeClaimTemplates:
  94.   - metadata:
  95.       name: elasticsearch-data-persistent-storage
  96.     spec:
  97.       accessModes: [ "ReadWriteOnce" ]
  98.       storageClassName: general-cinder
  99.       resources:
  100.         requests:
  101.           storage: 50Gi
  102. ---


注:
sts挂载静态存储时,需要预先创建一个sc。比如general-cinder

2.3 安装 ElasticSearch 客户端节点

最后来安装配置 ElasticSearch 的客户端节点,该节点主要负责暴露一个 HTTP 接口将查询数据传递给数据节点获取数据。

  1. 同样使用一个 ConfigMap 对象来配置该节点
  2. 客户端节点需要暴露两个端口,9300端口用于与集群的其他节点进行通信,9200端口用于 HTTP API。对应的 Service 对象如下所示
  3. 使用一个 Deployment 对象来描述客户端节点
  1. # elasticsearch-client.configmap.yaml
  2. ---
  3. apiVersion: v1
  4. kind: ConfigMap
  5. metadata:
  6.   name: elasticsearch-client-config
  7.   labels:
  8.     app: elasticsearch
  9.     role: client
  10. data:
  11.   elasticsearch.yml: |-
  12.     cluster.name: ${CLUSTER_NAME}
  13.     node.name: ${NODE_NAME}
  14.     discovery.seed_hosts: ${NODE_LIST}
  15.     cluster.initial_master_nodes: ${MASTER_NODES}
  17.     network.host: 0.0.0.0
  19.     node:
  20.       master: false
  21.       data: false
  22.       ingest: true
  24.     xpack.security.enabled: true
  25.     xpack.monitoring.collection.enabled: true
  26. ---
  27. # elasticsearch-client.service.yaml
  28. ---
  29. apiVersion: v1
  30. kind: Service
  31. metadata:
  32.   name: elasticsearch-client
  33.   labels:
  34.     app: elasticsearch
  35.     role: client
  36. spec:
  37.   ports:
  38.   - port: 9200
  39.     name: client
  40.   - port: 9300
  41.     name: transport
  42.   selector:
  43.     app: elasticsearch
  44.     role: client
  45. ---
  46. # elasticsearch-client.deployment.yaml
  47. ---
  48. apiVersion: apps/v1
  49. kind: Deployment
  50. metadata:
  51.   name: elasticsearch-client
  52.   labels:
  53.     app: elasticsearch
  54.     role: client
  55. spec:
  56.   selector:
  57.     matchLabels:
  58.       app: elasticsearch
  59.       role: client
  60.   template:
  61.     metadata:
  62.       labels:
  63.         app: elasticsearch
  64.         role: client
  65.     spec:
  66.       containers:
  67.       - name: elasticsearch-client
  68.         image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
  69.         env:
  70.         - name: CLUSTER_NAME
  71.           value: elasticsearch
  72.         - name: NODE_NAME
  73.           value: elasticsearch-client
  74.         - name: NODE_LIST
  75.           value: elasticsearch-master,elasticsearch-data,elasticsearch-client
  76.         - name: MASTER_NODES
  77.           value: elasticsearch-master
  78.         - name: "ES_JAVA_OPTS"
  79.           value: "-Xms256m -Xmx256m"
  80.         ports:
  81.         - containerPort: 9200
  82.           name: client
  83.         - containerPort: 9300
  84.           name: transport
  85.         volumeMounts:
  86.         - name: config
  87.           mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
  88.           readOnly: true
  89.           subPath: elasticsearch.yml
  90.         - name: storage
  91.           mountPath: /data
  92.       volumes:
  93.       - name: config
  94.         configMap:
  95.           name: elasticsearch-client-config
  96.       - name: "storage"
  97.         emptyDir:
  98.           medium: ""
  99. ---

2.4 生成密码

我们启用了 xpack 安全模块来保护我们的集群,所以我们需要一个初始化的密码。我们可以执行如下所示的命令,在客户端节点容器内运行 bin/elasticsearch-setup-passwords 命令来生成默认的用户名和密码:

  1. [root@elasticsearch-client-6fb8994f4b-p7r6f elasticsearch]# bin/elasticsearch-setup-passwords auto -b
  3. Your cluster health is currently RED.
  4. This means that some cluster data is unavailable and your cluster is not fully functional.
  6. It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
  7. It is very likely that the password changes will fail when run against an unhealthy cluster.
  9. Changed password for user apm_system
  10. PASSWORD apm_system = IzRO5ghRqr4tb8JMHcxQ
  12. Changed password for user kibana_system
  13. PASSWORD kibana_system = ixpkrMfUXtieWPIFv6sB
  15. Changed password for user kibana
  16. PASSWORD kibana = ixpkrMfUXtieWPIFv6sB
  18. Changed password for user logstash_system
  19. PASSWORD logstash_system = 9pIv0jWRzogSJvE2QCRU
  21. Changed password for user beats_system
  22. PASSWORD beats_system = YguqwhBTXBqU3osiOPiB
  24. Changed password for user remote_monitoring_user
  25. PASSWORD remote_monitoring_user = 1uh95KrodBGsncpCXX6l
  27. Changed password for user elastic
  28. PASSWORD elastic = paxu3UgBJcPVHY9b4tQD


注意需要将 elastic 用户名和密码也添加到 Kubernetes 的 Secret 对象中:

  1. $ kubectl create secret generic es-pwd \
  2.     -n elastic \
  3.     --from-literal password=paxu3UgBJcPVHY9b4tQD
  4. secret/es-pwd created

2.5 验证集群搭建成功

验证集群状态为绿色,健康状态。

  1. $ kubectl get pods -n elastic -l app=elasticsearch
  2. NAME                                    READY   STATUS    RESTARTS   AGE
  3. elasticsearch-client-6fb8994f4b-vx7lf   1/1     Running   0          5d12h
  4. elasticsearch-data-0                    1/1     Running   0          5d12h
  5. elasticsearch-master-6764787d9f-k2wwq   1/1     Running   0          5d12h
  8. # 查看集群的状态变化
  9. $ kubectl logs -f -n elastic $(kubectl get pods -n elastic | grep elasticsearch-master | sed -n 1p | awk '{print $1}') | grep "Cluster health status changed from"
  10. {"type": "server", "timestamp": "2021-09-15T18:59:05,442Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.monitoring-es-7-2021.09.15][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  11. {"type": "server", "timestamp": "2021-09-15T18:59:06,386Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-7][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  12. {"type": "server", "timestamp": "2021-09-15T19:01:20,525Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana_1][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  13. {"type": "server", "timestamp": "2021-09-15T19:01:22,344Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana-event-log-7.8.0-000001][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  14. {"type": "server", "timestamp": "2021-09-15T19:01:23,260Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[ilm-history-2-000001][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  15. {"type": "server", "timestamp": "2021-09-15T19:01:23,890Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.apm-custom-link][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }
  16. {"type": "server", "timestamp": "2021-09-15T19:01:33,042Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.monitoring-kibana-7-2021.09.15][0]]]).", "cluster.uuid": "BXZj294tQsCwvZUrAGXBVg", "node.id": "OmSHMrkdTKaeX-bN-5r9Mg"  }

image.png

  1. [escore@eks-stable-new-l32xkuxp2iez-master-2 ~]$ curl --user elastic:paxu3UgBJcPVHY9b4tQD 10.253.4.31:9200/_cat/health
  2. 1632332525 17:42:05 elasticsearch green 3 1 2 2 0 0 0 0 - 100.0%
  • status:集群的状态,red红表示集群不可用,有故障。yellow黄表示集群不可靠但可用,一般单节点时就是此状态。green正常状态,表示集群一切正常。
  • node.total:节点数,这里是3,表示该集群有3个节点
  • node.data:数据节点数,存储数据的节点数,这里是3
  • shards:表示我们把数据分成多少块存储
  • pri:主分片数,primary shards
  • active_shards_percent:激活的分片百分比,这里可以理解为加载的数据分片数,只有加载所有的分片数,集群才算正常启动,在启动的过程中,如果我们不断刷新这个页面,我们会发现这个百分比不断加大

    2、配置kibanna

  1. 首先我们使用 ConfigMap 对象来提供一个文件,其中包括对 ElasticSearch 的访问(主机、用户名和密码),这些都是通过环境变量配置的
  2. 然后通过一个 NodePort 类型的服务来暴露 Kibana 服务
  3. 最后通过 Deployment 来部署 Kibana 服务,由于需要通过环境变量提供密码,这里我们使用上面创建的 Secret 对象来引用: ```

    kibana.configmap.yaml

apiVersion: v1 kind: ConfigMap metadata: name: kibana-config labels: app: kibana data: kibana.yml: |- server.host: 0.0.0.0

  1. elasticsearch:
  2.   hosts: ${ELASTICSEARCH_HOSTS}
  3.   username: ${ELASTICSEARCH_USER}
  4.   password: ${ELASTICSEARCH_PASSWORD}

kibana.service.yaml

apiVersion: v1 kind: Service metadata: name: kibana labels: app: kibana spec: type: NodePort ports:

  • port: 5601 name: webinterface selector: app: kibana

kibana.deployment.yaml

apiVersion: apps/v1 kind: Deployment metadata: name: kibana labels: app: kibana spec: selector: matchLabels: app: kibana template: metadata: labels: app: kibana spec: containers:

  1.   - name: kibana
  2.     image: docker.elastic.co/kibana/kibana:7.8.0
  3.     ports:
  4.     - containerPort: 5601
  5.       name: webinterface
  6.     env:
  7.     - name: ELASTICSEARCH_HOSTS
  8.       value: "http://elasticsearch-client.elastic.svc.cluster.local:9200"
  9.     - name: ELASTICSEARCH_USER
  10.       value: "elastic"
  11.     - name: ELASTICSEARCH_PASSWORD
  12.       valueFrom:
  13.         secretKeyRef:
  14.           name: es-pwd
  15.           key: password
  16.     volumeMounts:
  17.     - name: config
  18.       mountPath: /usr/share/kibana/config/kibana.yml
  19.       readOnly: true
  20.       subPath: kibana.yml
  21.   volumes:
  22.   - name: config
  23.     configMap:
  24.       name: kibana-config
  1. 部署成功后,可以通过查看 Pod 的日志来了解 Kibana 的状态:
  2. ```yaml
  3. [escore@eks-stable-new-l32xkuxp2iez-master-2 ~]$ kubectl logs -f -n elastic $(kubectl get pods -n elastic | grep kibana | sed -n 1p | awk '{print $1}')      | grep "Status changed from yellow to green"
  4. {"type":"log","@timestamp":"2021-09-22T17:58:40Z","tags":["status","plugin:elasticsearch@7.8.0","info"],"pid":7,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}


2.1 访问kibanna

如下图所示,使用上面我们创建的 Secret 对象的 elastic 用户和生成的密码即可登录:

image.png

到这里我们就安装成功了 ElasticSearch 与 Kibana,它们将为我们来存储和可视化我们的应用数据(监控指标、日志和追踪)服务。最后还可以通过 Management → Stack Monitoring 页面查看整个集群的健康状态:

image.png

3、配置filebeat

安装配置 Filebeat 来收集 Kubernetes 集群中的日志数据,然后发送到 ElasticSearch 去中,Filebeat 是一个轻量级的日志采集代理,还可以配置特定的模块来解析和可视化应用(比如数据库、Nginx 等)的日志格式。

Filebeat 也需要一个配置文件来设置和 ElasticSearch 的链接信息、和 Kibana 的连接已经日志采集和解析的方式。

  1. 配置采集 /var/log/containers/ 下面的所有日志数据,并且使用 inCluster 的模式访问 Kubernetes 的 APIServer,获取日志数据的 Meta 信息,将日志直接发送到 Elasticsearch。
  2. 此外还通过 policy_file 定义了 indice 的回收策略
  3. RBAC权限
  1. # filebeat.settings.configmap.yml
  2. ---
  3. apiVersion: v1
  4. kind: ConfigMap
  5. metadata:
  6.   name: filebeat-config
  7.   labels:
  8.     app: filebeat
  9. data:
  10.   filebeat.yml: |-
  11.     filebeat.inputs:
  12.     - type: container
  13.       enabled: true
  14.       paths:
  15.       - /var/log/containers/*.log
  16.       processors:
  17.       - add_kubernetes_metadata:
  18.           in_cluster: true
  19.           host: ${NODE_NAME}
  20.           matchers:
  21.           - logs_path:
  22.               logs_path: "/var/log/containers/"
  24.     filebeat.autodiscover:
  25.       providers:
  26.         - type: kubernetes
  27.           templates:
  28.             - condition.equals:
  29.                 kubernetes.labels.app: mongo
  30.               config:
  31.                 - module: mongodb
  32.                   enabled: true
  33.                   log:
  34.                     input:
  35.                       type: docker
  36.                       containers.ids:
  37.                         - ${data.kubernetes.container.id}
  39.     processors:
  40.       - drop_event:
  41.           when.or:
  42.               - and:
  43.                   - regexp:
  44.                       message: '^\d+\.\d+\.\d+\.\d+ '
  45.                   - equals:
  46.                       fileset.name: error
  47.               - and:
  48.                   - not:
  49.                       regexp:
  50.                           message: '^\d+\.\d+\.\d+\.\d+ '
  51.                   - equals:
  52.                       fileset.name: access
  53.       - add_cloud_metadata:
  54.       - add_kubernetes_metadata:
  55.           matchers:
  56.           - logs_path:
  57.               logs_path: "/var/log/containers/"
  58.       - add_docker_metadata:
  60.     output.elasticsearch:
  61.       hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
  62.       username: ${ELASTICSEARCH_USERNAME}
  63.       password: ${ELASTICSEARCH_PASSWORD}
  65.     setup.kibana:
  66.       host: '${KIBANA_HOST:kibana}:${KIBANA_PORT:5601}'
  68.     setup.dashboards.enabled: true
  69.     setup.template.enabled: true
  71.     setup.ilm:
  72.       policy_file: /etc/indice-lifecycle.json
  73. ---
  75. # filebeat.indice-lifecycle.configmap.yml
  76. ---
  77. apiVersion: v1
  78. kind: ConfigMap
  79. metadata:
  80.   name: filebeat-indice-lifecycle
  81.   labels:
  82.     app: filebeat
  83. data:
  84.   indice-lifecycle.json: |-
  85.     {
  86.       "policy": {
  87.         "phases": {
  88.           "hot": {
  89.             "actions": {
  90.               "rollover": {
  91.                 "max_size": "5GB" ,
  92.                 "max_age": "1d"
  93.               }
  94.             }
  95.           },
  96.           "delete": {
  97.             "min_age": "30d",
  98.             "actions": {
  99.               "delete": {}
  100.             }
  101.           }
  102.         }
  103.       }
  104.     }
  105. ---
  106. #filebeat.daemonset.yml
  107. ---
  108. apiVersion: apps/v1
  109. kind: DaemonSet
  110. metadata:
  111.   name: filebeat
  112.   labels:
  113.     app: filebeat
  114. spec:
  115.   selector:
  116.     matchLabels:
  117.       app: filebeat
  118.   template:
  119.     metadata:
  120.       labels:
  121.         app: filebeat
  122.     spec:
  123.       serviceAccountName: filebeat
  124.       terminationGracePeriodSeconds: 30
  125.       containers:
  126.       - name: filebeat
  127.         image: docker.elastic.co/beats/filebeat:7.8.0
  128.         args: [
  129.           "-c", "/etc/filebeat.yml",
  130.           "-e",
  131.         ]
  132.         env:
  133.         - name: ELASTICSEARCH_HOST
  134.           value: elasticsearch-client.elastic.svc.cluster.local
  135.         - name: ELASTICSEARCH_PORT
  136.           value: "9200"
  137.         - name: ELASTICSEARCH_USERNAME
  138.           value: elastic
  139.         - name: ELASTICSEARCH_PASSWORD
  140.           valueFrom:
  141.             secretKeyRef:
  142.               name: es-pwd
  143.               key: password
  144.         - name: KIBANA_HOST
  145.           value: kibana.elastic.svc.cluster.local
  146.         - name: KIBANA_PORT
  147.           value: "5601"
  148.         - name: NODE_NAME
  149.           valueFrom:
  150.             fieldRef:
  151.               fieldPath: spec.nodeName
  152.         securityContext:
  153.           runAsUser: 0
  154.         resources:
  155.           limits:
  156.             cpu: 1000m
  157.             memory: 200Mi
  158.           requests:
  159.             cpu: 100m
  160.             memory: 100Mi
  161.         volumeMounts:
  162.         - name: config
  163.           mountPath: /etc/filebeat.yml
  164.           readOnly: true
  165.           subPath: filebeat.yml
  166.         - name: filebeat-indice-lifecycle
  167.           mountPath: /etc/indice-lifecycle.json
  168.           readOnly: true
  169.           subPath: indice-lifecycle.json
  170.         - name: data
  171.           mountPath: /usr/share/filebeat/data
  172.         - name: varlog
  173.           mountPath: /var/log
  174.           readOnly: true
  175.         - name: varlibdockercontainers
  176.           mountPath: /var/lib/docker/containers
  177.           readOnly: true
  178.         - name: dockersock
  179.           mountPath: /var/run/docker.sock
  180.       volumes:
  181.       - name: config
  182.         configMap:
  183.           defaultMode: 0600
  184.           name: filebeat-config
  185.       - name: filebeat-indice-lifecycle
  186.         configMap:
  187.           defaultMode: 0600
  188.           name: filebeat-indice-lifecycle
  189.       - name: varlog
  190.         hostPath:
  191.           path: /var/log
  192.       - name: varlibdockercontainers
  193.         hostPath:
  194.           path: /var/lib/docker/containers
  195.       - name: dockersock
  196.         hostPath:
  197.           path: /var/run/docker.sock
  198.       - name: data
  199.         hostPath:
  200.           path: /var/lib/filebeat-data
  201.           type: DirectoryOrCreate
  1. ---
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRoleBinding
  4. metadata:
  5.   name: filebeat
  6.   namespace: elastic
  7. subjects:
  8. - kind: ServiceAccount
  9.   name: filebeat
  10.   namespace: elastic
  11. roleRef:
  12.   kind: ClusterRole
  13.   name: filebeat
  14.   apiGroup: rbac.authorization.k8s.io
  15. ---
  16. apiVersion: rbac.authorization.k8s.io/v1
  17. kind: ClusterRole
  18. metadata:
  19.   name: filebeat
  20.   labels:
  21.     app: filebeat
  22. rules:
  23. - apiGroups: [""]
  24.   resources:
  25.   - namespaces
  26.   - pods
  27.   verbs:
  28.   - get
  29.   - watch
  30.   - list
  31. ---
  32. apiVersion: v1
  33. kind: ServiceAccount
  34. metadata:
  35.   name: filebeat
  36.   labels:
  37.     app: filebeat
  38. ---