When managing Fleet instances at scale, visibility into control plane activity and audit trails is essential for troubleshooting and compliance. ACK One centralizes control plane component logs and audit logs from Fleet instances and delivers them to designated Simple Log Service (SLS) projects in your Alibaba Cloud account.
Prerequisites
Before you begin, make sure that you have:
-
Sufficient Logstore quota in your SLS account. The default quota per Alibaba Cloud account is 50. To increase the quota, submit a ticket
How log collection works
When log collection is enabled for a Fleet instance, ACK One collects logs from four control plane components and delivers them to newly created SLS projects on a pay-as-you-go basis.
The four components and their dedicated Logstores are:
| Component | Logstore | Description |
|---|---|---|
| kube-apiserver | apiserver |
Exposes the Kubernetes API. See kube-apiserver. |
| kube-controller-manager | kcm |
Manages the core control loops of a Kubernetes cluster. See kube-controller-manager. |
| application-controller | application-controller |
Handles application distribution in ACK One. Logs cover application distribution events. |
| cluster-operator | cluster-operator |
Manages cluster association and disassociation with Fleet instances. Logs cover cluster association and disassociation events. |
For more information about these components, see Kubernetes components.
Constraints:
-
Control plane component logs and audit logs are always enabled and disabled together. They cannot be managed independently.
-
Logs can only be delivered to newly created SLS projects, not to existing ones.
Enable log collection
Enable Collection of Operation Logs and Auditing Logs is turned on by default when you create a Fleet instance. If you skipped this step or need to enable it for an existing instance, use Method 2.
Method 1: Enable when creating a Fleet instance
Turn on Enable Collection of Operation Logs and Auditing Logs during Fleet instance creation. For more information, see Enable Fleet management.
Method 2: Enable for an existing Fleet instance
-
Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Fleet Observability > Fleet Log Center.
-
On the Log Center page, click the Audit Logs tab, then click Enable.
To disable log collection, click Disable Audit Logs & Control Plane Logs in the upper-right corner of the page.
View logs
After enabling log collection, access your logs from either the SLS console or the ACK One console.
View logs in the SLS console
-
Log on to the Simple Log Service console.
-
In the Projects section, click the name of the project used by the Fleet instance.
-
On the Log Storage page, select a Logstore from the Logstores list. Each control plane component has a dedicated Logstore — refer to the table in How log collection works for the full list of Logstore names. For more information about querying logs, see What is Simple Log Service?.
View logs in the ACK One console
-
Log on to the ACK One console. In the left-side navigation pane, choose Fleet > Fleet Observability > Fleet Log Center.
-
On the Log Center page, click the Audit Logs or Logs of Control Plane Components tab to view the logs.
If you manage multiple Fleet instances, select the target Fleet instance on the Fleet Information page before clicking the tabs.
Troubleshooting
After clicking the Audit Logs or Logs of Control Plane Components tab, I see an "invalid endpoint" error.
Your Alibaba Cloud account has exceeded the SLS project quota. To resolve this:
-
Delete unused SLS projects to free up quota.
-
Submit a ticket to request a quota increase.
After deleting the SLS project used for log collection, logs are no longer collected.
The system does not automatically create a new SLS project or Logstores after deletion. To re-enable collection, turn off Enable Collection of Operation Logs and Auditing Logs and then turn it on again.