#elasticsearch #ssl #kubernetes #filebeat #kubernetes-secrets
Вопрос:
Я развернул ES cluster и kibana с помощью ECK. Я использую filebeat-kubernetes.yaml для развертывания filebeat. Я развернул metricbeat с помощью metricbeat-kubernetes.yaml и его работа в порядке. Но даже после применения той же конфигурации к filebeat yaml он не может подключиться к ES. Ниже приведены журналы, связанные с URL-адресами TLS и ES. Я также использовал quickstart-es-http-сертификаты-публичный секрет для подключения к службе http elasticsearch. Пожалуйста, помогите в этом..
2021-07-08T11:47:43.229Z INFO [index-management] idxmgmt/std.go:184 Set
output.elasticsearch.index to 'filebeat-7.13.2' as ILM is enabled.
2021-07-08T11:47:43.229Z WARN [cfgwarn] tlscommon/config.go:105 DEPRECATED:
Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative
Names are present is going to be removed. Please update your certificates if needed. Will be
removed in version: 8.0.0
2021-07-08T11:47:43.229Z INFO eslegclient/connection.go:99 elasticsearch url:
https://quickstart-es-http:9200
2021-07-08T11:47:43.229Z INFO [publisher] pipeline/module.go:113 Beat name:
oke-cgusmlcotva-nti7iapgfvq-sl4fjm436ua-2
2021-07-08T11:47:43.230Z INFO [monitoring] log/log.go:117 Starting metrics
logging every 30s
2021-07-08T11:47:43.230Z INFO instance/beat.go:473 filebeat start running.
2021-07-08T11:47:43.231Z INFO memlog/store.go:119 Loading data file of '
/usr/share/filebeat/data/registry/filebeat' succeeded. Active transaction id=0
Ниже приведен файл.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: filebeat-config
namespace: default
labels:
k8s-app: filebeat
data:
filebeat.yml: |-
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
# To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
#filebeat.autodiscover:
# providers:
# - type: kubernetes
# node: ${NODE_NAME}
# hints.enabled: true
# hints.default_config:
# type: container
# paths:
# - /var/log/containers/*${data.kubernetes.container.id}.log
processors:
- add_cloud_metadata:
- add_host_metadata:
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
ssl.certificate_authorities:
- /home/AK/certificate/tls.crt
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
namespace: default
labels:
k8s-app: filebeat
spec:
selector:
matchLabels:
k8s-app: filebeat
template:
metadata:
labels:
k8s-app: filebeat
spec:
serviceAccountName: filebeat
terminationGracePeriodSeconds: 30
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:7.13.2
args: [
"-c", "/etc/filebeat.yml",
"-e",
]
env:
- name: ELASTICSEARCH_HOST
value: https://quickstart-es-http
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: password
- name: ELASTIC_CLOUD_ID
value:
- name: ELASTIC_CLOUD_AUTH
value:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/filebeat.yml
readOnly: true
subPath: filebeat.yml
- name: data
mountPath: /usr/share/filebeat/data
- name: cert
mountPath: /home/AK/certificate/tls.crt
readOnly: true
subPath: tls.crt
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: varlog
mountPath: /var/log
readOnly: true
volumes:
- name: config
configMap:
defaultMode: 0640
name: filebeat-config
- name: cert
secret:
secretName: quickstart-es-http-certs-public
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: varlog
hostPath:
path: /var/log
# data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
- name: data
hostPath:
# When filebeat runs as non-root user, this directory needs to be writable by group (g w).
path: /var/lib/filebeat-data
type: DirectoryOrCreate
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: filebeat
subjects:
- kind: ServiceAccount
name: filebeat
namespace: default
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: filebeat
labels:
k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API group
resources:
- namespaces
- pods
- nodes
verbs:
- get
- watch
- list
- apiGroups: ["apps"]
resources:
- replicasets
verbs: ["get", "list", "watch"]
apiVersion: v1
kind: ServiceAccount
metadata:
name: filebeat
namespace: default
labels:
k8s-app: filebeat