All Products
Search
Document Center

Container Service for Kubernetes:Enable Log Service for a registered cluster

Last Updated:Sep 19, 2023

You can enable Log Service for the registered clusters. This way, you can manage registered clusters that are deployed across regions in a centralized manner. This topic describes how to enable Log Service for a registered cluster.

Table of contents

Prerequisites

Step 1: Grant RAM permissions to logtail-ds

Use onectl

  1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

  2. Run the following command to grant Resource Access Management (RAM) permissions to logtail-ds:

    onectl ram-user grant --addon logtail-ds

    Expected output:

    Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.

Use the console

Before you install a component in a registered cluster, you must set the AccessKey pair to grant the registered cluster the permissions to access Alibaba Cloud resources. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

  1. Create a RAM user. For more information, see Create a RAM user.

  2. Create a custom policy with the following code block. For more information, see Create a custom policy.

    Show sample code

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:CreateProject",
                    "log:GetProject",
                    "log:DeleteProject",
                    "log:CreateLogStore",
                    "log:GetLogStore",
                    "log:UpdateLogStore",
                    "log:DeleteLogStore",
                    "log:CreateConfig",
                    "log:UpdateConfig",
                    "log:GetConfig",
                    "log:DeleteConfig",
                    "log:CreateMachineGroup",
                    "log:UpdateMachineGroup",
                    "log:GetMachineGroup",
                    "log:DeleteMachineGroup",
                    "log:ApplyConfigToGroup",
                    "log:GetAppliedMachineGroups",
                    "log:GetAppliedConfigs",
                    "log:RemoveConfigFromMachineGroup",
                    "log:CreateIndex",
                    "log:GetIndex",
                    "log:UpdateIndex",
                    "log:DeleteIndex",
                    "log:CreateSavedSearch",
                    "log:GetSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteSavedSearch",
                    "log:CreateDashboard",
                    "log:GetDashboard",
                    "log:UpdateDashboard",
                    "log:DeleteDashboard",
                    "log:CreateJob",
                    "log:GetJob",
                    "log:DeleteJob",
                    "log:UpdateJob",
                    "log:PostLogStoreLogs",
                    "log:CreateSortedSubStore",
                    "log:GetSortedSubStore",
                    "log:ListSortedSubStore",
                    "log:UpdateSortedSubStore",
                    "log:DeleteSortedSubStore",
                    "log:CreateApp",
                    "log:UpdateApp",
                    "log:GetApp",
                    "log:DeleteApp",
                    "cs:DescribeTemplates",
                    "cs:DescribeTemplateAttribute"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    
  3. Attach the policy to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.

  4. Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.

  5. Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.

    Run the following command to create the Secret. The Logtail component uses the Secret.

    kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
    Note

    Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained in the preceding step.

Step 2: Install logtail-ds

Use onectl

Run the following command to install logtail-ds:

onectl addon install logtail-ds

Expected output:

Addon logtail-ds, version **** installed.

Use the console

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.

  3. On the Add-ons page, click the Logs and Monitoring tab, find the logtail-ds component, and then click Install.

  4. In the Note dialog box, click OK.

(Optional) Step 3: Configure stdout collection for all pods

To configure stdout collection for all pods in a registered cluster, use kubectl to connect to the cluster and deploy an AliyunLogConfig with the following code block. After the AliyunLogConfig is deployed, a Logstore named stdout-logstore is automatically created.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # your config name, must be unique in you k8s cluster.
  name: stdout-collector
spec:
  # logstore name to upload log.
  logstore: stdout-logstore
  # logtail config detail
  logtailConfig:
    # docker stdout's input type is 'plugin'.
    inputType: plugin
    # logtail config name, should be same with [metadata.name].
    configName: stdout-collector
    inputDetail:
      plugin:
        inputs:
          -
            type: service_docker_stdout
            detail:
              # collect stdout and stderr
              Stdout: true
              Stderr: true
              # collect all container's stdout except containers with "COLLECT_STDOUT_FLAG:false" in docker env config.

Step 4: Configure Log Service

For more information about how to configure Log Service when you create an application, see Step 2: Configure Log Service when you create an application.