You can enable Log Service for external Kubernetes clusters that are registered in
the Container Service for Kubernetes (ACK) console. This way, you can manage Kubernetes
clusters that are deployed across regions in a centralized manner. This topic describes
how to enable Log Service for a registered external Kubernetes cluster.
Step 1: Configure RAM permissions for the Log Service component
Before you can install the component in an external cluster, you must set the AccessKey
pair to grant the external cluster the permissions to access Alibaba Cloud resources.
Before you set the AccessKey pair, create a Resource Access Management (RAM) user
and grant the RAM user the permissions to access Alibaba Cloud resources.
- Create a RAM user. For more information, see Create a RAM user.
- Create a permission policy. For more information, see Create a custom policy.
The following code block shows the content of the permission policy for the Logtail
component:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:DeleteProject",
"log:CreateLogStore",
"log:GetLogStore",
"log:UpdateLogStore",
"log:DeleteLogStore",
"log:CreateConfig",
"log:UpdateConfig",
"log:GetConfig",
"log:DeleteConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:GetMachineGroup",
"log:DeleteMachineGroup",
"log:ApplyConfigToGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:RemoveConfigFromMachineGroup",
"log:CreateIndex",
"log:GetIndex",
"log:UpdateIndex",
"log:DeleteIndex",
"log:CreateSavedSearch",
"log:GetSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:GetDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:CreateJob",
"log:GetJob",
"log:DeleteJob",
"log:UpdateJob",
"log:PostLogStoreLogs",
"log:CreateSortedSubStore",
"log:GetSortedSubStore",
"log:ListSortedSubStore",
"log:UpdateSortedSubStore",
"log:DeleteSortedSubStore",
"log:CreateApp",
"log:UpdateApp",
"log:GetApp",
"log:DeleteApp",
"cs:DescribeTemplates",
"cs:DescribeTemplateAttribute"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
- Grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.
- Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
- Use the AccessKey pair to create a Secret named
alibaba-addon-secret in the registered external cluster. Run the following command to create the Secret. The Logtail component uses the Secret.
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
Note Replace <your AccessKey ID> and <your AccessKey Secret> with the AccessKey pair that you obtained.
Step 2: Install the logtail-ds component
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and choose in the Actions column.
- Click the Logs and Monitoring tab. Find the logtail-ds component and click Install.
- In the Note dialog box, click OK.