All Products
Search

This Product

    Container Service for Kubernetes:integrate simple log service with registered clusters

    Document Center

    Container Service for Kubernetes:integrate simple log service with registered clusters

    Last Updated:Mar 26, 2026

    When you run Kubernetes clusters outside of ACK—such as in an on-premises data center—you lose the built-in observability that managed clusters provide. Simple Log Service (SLS) fills this gap by giving you centralized log collection and analysis across all your registered clusters, regardless of where they run.

    This topic walks you through three tasks: granting the Resource Access Management (RAM) permissions that the logtail-ds add-on requires, installing the add-on, and optionally configuring cluster-wide log collection rules.

    Prerequisites

    Before you begin, make sure you have:

    Step 1: Configure RAM permissions for SLS components

    The logtail-ds add-on needs RAM permissions to write logs to SLS. Two methods are available:

    Method Best for
    onectl (recommended) Fastest path—a single command grants all required permissions automatically.
    Console Needed when you require fine-grained control over the RAM user and policy.

    Use onectl (recommended)

    1. Install onectl on your on-premises machine. See Use onectl to manage registered clusters.

    2. Grant RAM permissions for SLS components:

      onectl ram-user grant --addon logtail-ds

      Expected output:

      Ram policy ack-one-registered-cluster-policy-logtail-ds granted to ram user ack-one-user-ce313528c3 successfully.

    Use the console

    This method requires creating a RAM user, attaching a custom policy, and storing the credentials as a Kubernetes Secret.

    1. Create a RAM user.

    2. Create a custom policy with the following content:

      Expand to view required permissions for Logtail components

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:DeleteProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:UpdateLogStore",
                "log:DeleteLogStore",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:GetConfig",
                "log:DeleteConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:GetMachineGroup",
                "log:DeleteMachineGroup",
                "log:ApplyConfigToGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:RemoveConfigFromMachineGroup",
                "log:CreateIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:DeleteIndex",
                "log:CreateSavedSearch",
                "log:GetSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteSavedSearch",
                "log:CreateDashboard",
                "log:GetDashboard",
                "log:UpdateDashboard",
                "log:DeleteDashboard",
                "log:CreateJob",
                "log:GetJob",
                "log:DeleteJob",
                "log:UpdateJob",
                "log:PostLogStoreLogs",
                "log:CreateSortedSubStore",
                "log:GetSortedSubStore",
                "log:ListSortedSubStore",
                "log:UpdateSortedSubStore",
                "log:DeleteSortedSubStore",
                "log:CreateApp",
                "log:UpdateApp",
                "log:GetApp",
                "log:DeleteApp",
                "cs:DescribeTemplates",
                "cs:DescribeTemplateAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

    3. Attach the custom policy to the RAM user.

    4. Create an AccessKey for the RAM user.

      Warning

      Configure a network policy to restrict AccessKey calls to trusted network environments. See AccessKey network access restriction policy.

    5. Create a Secret named alibaba-addon-secret in the kube-system namespace using the AccessKey from the previous step:

      kubectl -n kube-system create secret generic alibaba-addon-secret \
  --from-literal='access-key-id=<your AccessKey ID>' \
  --from-literal='access-key-secret=<your AccessKey Secret>'

    Step 2: Install the logtail-ds component

    Use onectl (recommended)

    Install logtail-ds with a single command:

    onectl addon install logtail-ds

    Expected output:

    Addon logtail-ds, version **** installed.

    Use the console

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your registered cluster. In the left navigation pane, click Add-ons.

    3. On the Add-ons page, click the Logs and Monitoring tab. Find logtail-ds and click Install in the lower-right corner of its card.

    4. In the confirmation dialog box, click OK.

    (Optional) Step 3: Configure log collection for all pods

    Connect to the registered cluster via kubectl, then apply the configuration for the log type you need.

    Text logs

    Deploy the following AliyunLogConfig to collect text log files from all pods:

    apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  name: test-file                  # Must be unique in the cluster.
spec:
  project: k8s-log-c326bc86****    # Optional. Recommended format: k8s-log-<cluster ID>.
  logstore: test-file              # Required. SLS creates this Logstore automatically if it does not exist.
  logtailConfig:
    inputType: file                # "file" for text logs; "plugin" for standard output.
    configName: test-file          # Must match metadata.name.
    inputDetail:
      logType: common_reg_log      # Collect text logs in simple mode.
      logPath: /log/               # Directory where log files are located.
      filePattern: "*.log"         # Supports wildcard characters * and ?.
      dockerFile: true             # Set to true to collect files inside containers.
      advanced:                    # Optional container filter conditions.
        k8s:
          K8sNamespaceRegex: ^(default)$
          K8sPodRegex: '^(nginx-log-demo.*)$'
          K8sContainerRegex: ^(nginx-log-demo-0)$
          IncludeK8sLabel:
            job-name: "^(nginx-log-demo.*)$"

    For a full reference of Logtail configuration fields, see Logtail configurations (legacy).

    Standard output

    Deploy the following AliyunLogConfig to collect stdout and stderr from all containers. After a successful deployment, SLS automatically creates a Logstore named stdout-logstore and starts collecting logs into it.

    All containers are included by default, except those with COLLECT_STDOUT_FLAG:false set in their Docker environment configuration.

    apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  name: stdout-collector           # Must be unique in the cluster.
spec:
  logstore: stdout-logstore        # Logstore to upload logs to.
  logtailConfig:
    inputType: plugin              # Use "plugin" for Docker stdout.
    configName: stdout-collector   # Must match metadata.name.
    inputDetail:
      plugin:
        inputs:
          - type: service_docker_stdout
            detail:
              Stdout: true
              Stderr: true
              # Collects all containers except those with "COLLECT_STDOUT_FLAG:false" in Docker env config.

    Step 4: Configure Simple Log Service

    With logtail-ds installed and log collection running, configure SLS to process and analyze the collected logs:

    Related topics