Created
August 14, 2019 10:50
-
-
Save kvaps/b08c77f297c5cab21c237fd821310653 to your computer and use it in GitHub Desktop.
Journalbeat config for Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
data: | |
journalbeat.yml: | | |
name: "${NODENAME}" | |
journalbeat.inputs: | |
- paths: [] | |
seek: cursor | |
cursor_seek_fallback: tail | |
processors: | |
- add_kubernetes_metadata: | |
host: "${NODENAME}" | |
in_cluster: true | |
default_indexers.enabled: false | |
default_matchers.enabled: false | |
indexers: | |
- container: | |
matchers: | |
- fields: | |
lookup_fields: ["container.id"] | |
- decode_json_fields: | |
fields: ["message"] | |
process_array: false | |
max_depth: 1 | |
target: "" | |
overwrite_keys: true | |
- drop_event.when: | |
or: | |
- regexp.kubernetes.pod.name: "filebeat-.*" | |
- regexp.kubernetes.pod.name: "journalbeat-.*" | |
- regexp.kubernetes.pod.name: "nginx-ingress-controller-.*" | |
- regexp.kubernetes.pod.name: "prometheus-operator-.*" | |
setup.template.enabled: false | |
setup.template.name: "journal-${ENVIRONMENT}-%{[agent.version]}" | |
setup.template.pattern: "journal-${ENVIRONMENT}-%{[agent.version]}-*" | |
setup.template.settings: | |
index.number_of_shards: 10 | |
index.refresh_interval: 10s | |
output.elasticsearch: | |
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}' | |
index: "journal-${ENVIRONMENT}-system-%{[agent.version]}-%{+YYYY.MM.dd}" | |
indices: | |
- index: "journal-${ENVIRONMENT}-k8s-%{[agent.version]}-%{+YYYY.MM.dd}" | |
when.has_fields: | |
- 'kubernetes.namespace' | |
kind: ConfigMap | |
metadata: | |
name: journalbeat-config | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: journalbeat | |
rules: | |
- apiGroups: | |
- extensions | |
resourceNames: | |
- journalbeat | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
- apiGroups: | |
- "" | |
resources: | |
- namespaces | |
- pods | |
verbs: | |
- get | |
- watch | |
- list | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: journalbeat | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: journalbeat | |
subjects: | |
- kind: ServiceAccount | |
name: journalbeat | |
namespace: journalbeat | |
--- | |
apiVersion: extensions/v1beta1 | |
kind: DaemonSet | |
metadata: | |
name: journalbeat | |
spec: | |
template: | |
metadata: | |
labels: | |
app: journalbeat | |
name: journalbeat | |
spec: | |
containers: | |
- args: | |
- -e | |
- -c | |
- /etc/journalbeat.yml | |
command: | |
- journalbeat | |
env: | |
- name: NODENAME | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.nodeName | |
- name: PODNAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: ELASTICSEARCH_HOSTS | |
value: 10.9.8.11:9200,10.9.8.12:9200,10.9.8.13:9200 | |
- name: ENVIRONMENT | |
value: stage | |
image: docker.elastic.co/beats/journalbeat:7.3.0 | |
imagePullPolicy: Always | |
name: journalbeat | |
resources: | |
limits: | |
cpu: 600m | |
memory: 800Mi | |
requests: | |
cpu: 200m | |
memory: 400Mi | |
volumeMounts: | |
- mountPath: /usr/share/journalbeat/data | |
name: data | |
- mountPath: /var/log/journal | |
name: var-journal | |
- mountPath: /run/log/journal | |
name: run-journal | |
- mountPath: /etc/journalbeat.yml | |
name: config | |
subPath: journalbeat.yml | |
- mountPath: /etc/machine-id | |
name: machine-id | |
hostNetwork: true | |
nodeSelector: {} | |
securityContext: | |
fsGroup: 0 | |
runAsUser: 0 | |
serviceAccount: journalbeat | |
terminationGracePeriodSeconds: 60 | |
tolerations: | |
- effect: NoSchedule | |
key: node-role.kubernetes.io/master | |
volumes: | |
- hostPath: | |
path: /var/log/journal/journalbeat-data | |
name: data | |
- hostPath: | |
path: /var/log/journal | |
name: var-journal | |
- hostPath: | |
path: /run/log/journal | |
name: run-journal | |
- hostPath: | |
path: /etc/machine-id | |
name: machine-id | |
- configMap: | |
items: | |
- key: journalbeat.yml | |
path: journalbeat.yml | |
name: journalbeat-config | |
name: config | |
--- | |
apiVersion: extensions/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default | |
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default | |
name: journalbeat | |
spec: | |
allowedCapabilities: | |
- KILL | |
- CHOWN | |
- FSETID | |
- FOWNER | |
- SETGID | |
- SETUID | |
- SETFCAP | |
- SETPCAP | |
- AUDIT_WRITE | |
- NET_BIND_SERVICE | |
fsGroup: | |
rule: RunAsAny | |
hostIPC: false | |
hostNetwork: false | |
hostPID: false | |
privileged: false | |
requiredDropCapabilities: | |
- MKNOD | |
- DAC_OVERRIDE | |
- NET_RAW | |
- SYS_CHROOT | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- secret | |
- configMap | |
- hostPath | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: journalbeat |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment