filebeat_daemonset.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
---
# 建立一个filebeat的ns
apiVersion: v1
kind: Namespace
metadata:
  name: filebeat-ns
---
# 配置证书
apiVersion: v1
kind: Secret
metadata:
  name: filebeat-ca
  namespace: filebeat-ns
data:
  ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lVWTFIQ3Qyc2RWVU9aeEVVYjhvdzRua1R4K1JBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd05ERXlNREFHQTFVRUF4TXBSV3hoYzNScFl5QkRaWEowYVdacFkyRjBaU0JVYjI5c0lFRjFkRzluWlc1bApjbUYwWldRZ1EwRXdIaGNOTWpFd09ERTVNRFl4TXpNNVdoY05NalF3T0RFNE1EWXhNek01V2pBME1USXdNQVlEClZRUURFeWxGYkdGemRHbGpJRU5sY25ScFptbGpZWFJsSUZSdmIyd2dRWFYwYjJkbGJtVnlZWFJsWkNCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFPQzZWUUJoeFBKUUhYMzQrZDdxY21QbgoyMkRvaVV0NUdERjFycEJ3Zm96Nlo4aVp5VHdNUVlncXZJRUJsUGt3MlF6WThObVVIZGg4RSt3c1c1dlFWdEg4CjFqMHFwaTFxZWNuWXpmTUNzVWVlRmVWamtTRjRMK3JYZXl2RFUyWDgvK1Y1YVhxQ2xOeVJXWUpLRFQxejFVZ00KUEQ3enFPWnFjTFVITE54bG9TMW1vYjl6N29Rekw3clRkTW11WEFBTHFwRW4zLzdnTXJHWFhqV0ZNcHNadTFxYQpSWVBqSU9oUzFKY2tyUmVydmV3RWN2bTBud3lCQnpiQWhHRFFoRCszdjdUS0xRQTBNRytwTXlTWmVSQlJPZnJDCkhWcjh4b04yYVF5bCszWWJKMDBKeGJjYlVkNUl6dWtScmVFeFJnWGRtamRKbEd5N1NMY0NwcVBXQVBXaDUya0MKQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkhRUk1oWmJZVlB4WjlVSUxWU3NGS3dzZ3lUZk1COEdBMVVkSXdRWQpNQmFBRkhRUk1oWmJZVlB4WjlVSUxWU3NGS3dzZ3lUZk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBREFRbTNhaEIxSEVTVWU0dEhiTENKaGN5TG1BZFEzdnNLcSs4Lzk3RGo3Q2cyWUEKam5ucHZJUEpVcWdtalcrYm9JL0N1WmRIN1hjZlNKWlVKdG9TbXFmMk1RQU9QOVEwZXd3aEdlKzhSNmRjYllzNwpHc3crV3drYWRoZ2R1N3JYdTBTSFNBZ0lndWVNVmNyY20xL094cEdhbzlGYWsvWEQyUDV1S3F0N0tsR0dNZVJHCjN6STduc0tQblFMTjRlcjhTR3I5SkJYTEszTGhrNHlGN0Znb05UeXBKVFVlWTRTMEN1bFpsTEhMT3MySXlWTGEKenZ0YUJ4T2l0ZjYycm5ZdjBTWWgxYWkvQXBVZ1NMSjZYd2VMK0xMUmgxSGhQR2hDSnlUUUtobFFxTnRuNmJQdQp1YnVMc2pmcm5VOEZJVHdxZDRiYkFMS3RSY1lNamRZcXYwQkQ4Z2M9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: filebeat-ns
data:
  node1.logstash.com: <内网证书域名映射的ip>
  filebeat.yml: |-
    filebeat.config:
      inputs:
        enabled: true
        path: inputs.d/*.yml
        #可以实现不重启服务,仅仅在修改配置文件的情况下,让filebeat重新加载配置文件就可以生效
        reload.enabled: true
        reload.period: 10s
      modules:
        enabled: false
        path: modules.d/*.yml
        reload.enabled: true
        reload.period: 10s
    # ------------------------------ Logstash Output -------------------------------
    output.logstash:
    # logstash服务ip
      hosts: ["node1.logstash.com:5044"]
      ssl.certificate_authorities:
        - /usr/share/filebeat/ssl/ca.crt
    # ================================= Processors =================================
    processors:
      - drop_fields:
          fields: ["log","host","input","agent","ecs"]
          ignore_missing: false
    # ================================== Logging ===================================
    logging.level: info
    logging.to_files: true
    logging.files:
      path: /var/log/filebeat
      name: filebeat
      keepfiles: 7
      permissions: 0644
    logging.metrics.enabled: true
    logging.metrics.period: 300s
  acc.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/acc/acc*.log
      fields:
        logtype: acc
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
  biz.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/biz/biz*.log
      fields:
        logtype: biz
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
  debug.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/app/debug*.log
      fields:
        logtype: debug
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
  error.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/app/error*.log
      fields:
        logtype: error
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
  sql.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/sql/sql*.log
      fields:
        logtype: sql
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
  warn.yml: |-
    - type: log
      paths:
        - /var/log/<服务日志路径>/*/log/app/warn*.log
      fields:
        logtype: warn
        env: prod
      fields_under_root: true
      multiline.pattern: ^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.?\d{3})
      multiline.negate: true
      multiline.match: after
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: filebeat-ns
  labels:
    app: filebeat
spec:
  selector:
    matchLabels:
      app: filebeat
  template:
    metadata:
      labels:
        app: filebeat
    spec:
      # 等待容器进程完全停止,如果在 terminationGracePeriodSeconds 内 (默认 30s) 还未完全停止,就发送 SIGKILL 信号强制杀死进程。
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
        - name: filebeat
          image: docker.elastic.co/beats/filebeat:7.14.0
          env:
            - name: LOGSTASH_HOST
              valueFrom:
                configMapKeyRef:
                  name: filebeat-config
                  key: node1.logstash.com
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          command: ["/bin/sh","-c"]
          # 当前所在路径: /usr/share/filebeat
          # 将域名对应映射ip写入hosts文件
          args:
            - |
              echo $LOGSTASH_HOST node1.logstash.com >> /etc/hosts
              ./filebeat -c ./filebeat.yml
          securityContext:
            runAsUser: 0
            # If using Red Hat OpenShift uncomment this:
            #privileged: true
          volumeMounts:
            - name: config
              mountPath: /usr/share/filebeat/filebeat.yml
              subPath: filebeat.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/acc.yml
              subPath: acc.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/biz.yml
              subPath: biz.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/debug.yml
              subPath: debug.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/error.yml
              subPath: error.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/sql.yml
              subPath: sql.yml
            - name: config
              mountPath: /usr/share/filebeat/inputs.d/warn.yml
              subPath: warn.yml
            - name: filebeat-log
              mountPath: /var/log/filebeat
            - name: secret
              mountPath: /usr/share/filebeat/ssl/ca.crt
              # 必须添加subPath, 否则Exiting: error initializing publisher: 1 error: read /usr/share/filebeat/ssl/ca.crt: is a directory reading /usr/share/filebeat/ssl/ca.crt
              subPath: ca.crt
            - name: var-log
              mountPath: /var/log/<服务日志路径>
              readOnly: true
            - name: data
              mountPath: /usr/share/filebeat/data
      volumes:
        - name: config
          configMap:
            defaultMode: 0640
            name: filebeat-config
        - name: secret
          secret:
            defaultMode: 0640
            secretName: filebeat-ca       
        - name: filebeat-log
          hostPath:
            path: /var/log/filebeat
            type: DirectoryOrCreate
        - name: var-log
          hostPath:
            path: /var/log/<服务日志路径>
        # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
        - name: data
          hostPath:
            path: /var/lib/filebeat-data
            type: DirectoryOrCreate

特点总结

daemonset是用来部署守护进程的,DaemonSet用于在每个Kubernetes节点中将守护进程的副本作为后台进程运行,说白了就是在每个节点部署一个Pod副本,当节点加入到Kubernetes集群中,Pod会被调度到该节点上运行,当节点从集群只能够被移除后,该节点上的这个Pod也会被移除,当然,如果我们删除DaemonSet,所有和这个对象相关的Pods都会被删除。

在哪种情况下我们会需要用到这种业务场景呢?其实这种场景还是比较普通的,比如:

  • 集群存储守护程序,如glusterdceph要部署在每个节点上以提供持久性存储;
  • 节点监视守护进程,如Prometheus监控集群,可以在每个节点上运行一个node-exporter进程来收集监控节点的信息;
  • 日志收集守护程序,如fluentd,filebeatlogstash,在每个节点上运行以收集容器的日志

这里需要特别说明的一个就是关于DaemonSet运行的Pod的调度问题,正常情况下,Pod运行在哪个节点上是由Kubernetes的调度器策略来决定的,然而,由DaemonSet控制器创建的Pod实际上提前已经确定了在哪个节点上了(Pod创建时指定了.spec.nodeName),所以:

  • DaemonSet并不关心一个节点的unshedulable字段
  • DaemonSet可以创建Pod,即使调度器还没有启动,这点非常重要。