From 4c84db1d7236ef52e82de795de31e96f0c7df2a0 Mon Sep 17 00:00:00 2001 From: chrismark Date: Tue, 21 Apr 2020 15:49:41 +0300 Subject: [PATCH 1/6] Improve Openshift documentation Signed-off-by: chrismark --- deploy/kubernetes/metricbeat-kubernetes.yaml | 1 + .../metricbeat/metricbeat-daemonset-configmap.yaml | 1 + metricbeat/docs/running-on-kubernetes.asciidoc | 9 +++++++++ 3 files changed, 11 insertions(+) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index f5550f6ecbe5..305f6a5f16cd 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -85,6 +85,7 @@ data: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - module: kubernetes metricsets: + # Not supported on Openshift - proxy period: 10s host: ${NODE_NAME} diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index 8760c3eaa0aa..149e5976661f 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -85,6 +85,7 @@ data: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - module: kubernetes metricsets: + # Not supported on Openshift - proxy period: 10s host: ${NODE_NAME} diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index dfa6cbb25d40..e08ad4a3a147 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -85,6 +85,15 @@ spec: If you are using Red Hat OpenShift, you need to specify additional settings in the manifest file and enable the container to run as privileged. +. Modify the `DaemonSet` container spec in the manifest file: ++ +[source,yaml] +----- + securityContext: + runAsUser: 0 + privileged: true +----- + . In the manifest file, edit the `metricbeat-daemonset-modules` ConfigMap, and specify the following settings under `kubernetes.yml` in the `data` section: + From 6a1b6e293e095286e209665aa8c798cd8e0d6ced Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 22 Apr 2020 17:02:11 +0300 Subject: [PATCH 2/6] Fix proxy comment section Signed-off-by: chrismark --- deploy/kubernetes/metricbeat-kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 305f6a5f16cd..a231f095cf03 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -83,9 +83,9 @@ data: # uncomment these settings: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + # Currently `proxy` metricset is not supported on Openshift, comment out section. - module: kubernetes metricsets: - # Not supported on Openshift - proxy period: 10s host: ${NODE_NAME} From 0fe11d9a5db5f42fa9459af1fa2e32a2549bb8bd Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 22 Apr 2020 17:24:43 +0300 Subject: [PATCH 3/6] Update daemonset too Signed-off-by: chrismark --- .../kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index 149e5976661f..208f4caf63b7 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -83,9 +83,9 @@ data: # uncomment these settings: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + # Currently `proxy` metricset is not supported on Openshift, comment out section - module: kubernetes metricsets: - # Not supported on Openshift - proxy period: 10s host: ${NODE_NAME} From 8587d782d11702905dd1a14b11e729b66dc7dbc2 Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 22 Apr 2020 17:47:30 +0300 Subject: [PATCH 4/6] add CA suggestion Signed-off-by: chrismark --- deploy/kubernetes/metricbeat-kubernetes.yaml | 6 +++--- .../metricbeat-daemonset-configmap.yaml | 4 ++-- metricbeat/docs/running-on-kubernetes.asciidoc | 18 +++++++++++++++++- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index a231f095cf03..41c4b3e5a23e 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -79,11 +79,11 @@ data: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.verification_mode: "none" - # If using Red Hat OpenShift remove ssl.verification_mode entry and - # uncomment these settings: + # If there is a CA available to reach out the Kubelet API remove ssl.verification_mode entry and + # use the CA, for instance: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - # Currently `proxy` metricset is not supported on Openshift, comment out section. + # Currently `proxy` metricset is not supported on Openshift, comment out section - module: kubernetes metricsets: - proxy diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index 208f4caf63b7..a5774d876dc5 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -79,8 +79,8 @@ data: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.verification_mode: "none" - # If using Red Hat OpenShift remove ssl.verification_mode entry and - # uncomment these settings: + # If there is a CA available to reach out the Kubelet API remove ssl.verification_mode entry and + # use the CA, for instance: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt # Currently `proxy` metricset is not supported on Openshift, comment out section diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index e08ad4a3a147..27cc34ee1d8e 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -112,8 +112,24 @@ specify the following settings under `kubernetes.yml` in the `data` section: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - ${VALID_CA} ----- +NOTE: `VALID_CA` can be any CA that is valid so as to reach out the Kubelet API, +for instance `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`. According to each specific installation +of Openshift this can be found either in `secrets` or in `configmaps`. +For instance, in case of using Openshift installer[https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md] +for GCP then the following `configmap` can be mounted in Metricbeat Pod and use `ca-bundle.crt` +in `ssl.certificate_authorities`: +``` +Name: kubelet-serving-ca +Namespace: openshift-kube-apiserver +Labels: +Annotations: + +Data +==== +ca-bundle.crt: +``` . Under the `metricbeat` ClusterRole, add the following resources: + From 3d357ea34e5c160f59a4d9e24cd4aea8c6099cce Mon Sep 17 00:00:00 2001 From: chrismark Date: Thu, 23 Apr 2020 11:12:20 +0300 Subject: [PATCH 5/6] review suggestions Signed-off-by: chrismark --- metricbeat/docs/running-on-kubernetes.asciidoc | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index 27cc34ee1d8e..2d7579061101 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -112,15 +112,18 @@ specify the following settings under `kubernetes.yml` in the `data` section: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - - ${VALID_CA} + - /path/to/kubelet-service-ca.crt ----- -NOTE: `VALID_CA` can be any CA that is valid so as to reach out the Kubelet API, -for instance `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`. According to each specific installation -of Openshift this can be found either in `secrets` or in `configmaps`. -For instance, in case of using Openshift installer[https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md] +NOTE: `kubelet-service-ca.crt` can be any CA bundle that contains the issuer of the certificate used in the Kubelet API. +According to each specific installation of Openshift this can be found either in `secrets` or in `configmaps`. +In some installations it can be available as part of the service account secret, in +`/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`. +In case of using Openshift installer[https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md] for GCP then the following `configmap` can be mounted in Metricbeat Pod and use `ca-bundle.crt` in `ssl.certificate_authorities`: -``` ++ +[source,shell] +----- Name: kubelet-serving-ca Namespace: openshift-kube-apiserver Labels: @@ -129,7 +132,7 @@ Annotations: Data ==== ca-bundle.crt: -``` +----- . Under the `metricbeat` ClusterRole, add the following resources: + From 2881f98c10790cb8ecb982eb016ddf8474ee1f18 Mon Sep 17 00:00:00 2001 From: chrismark Date: Thu, 23 Apr 2020 11:16:43 +0300 Subject: [PATCH 6/6] improve daemonset comment Signed-off-by: chrismark --- deploy/kubernetes/metricbeat-kubernetes.yaml | 4 ++-- .../kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 41c4b3e5a23e..179f33089e18 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -79,8 +79,8 @@ data: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.verification_mode: "none" - # If there is a CA available to reach out the Kubelet API remove ssl.verification_mode entry and - # use the CA, for instance: + # If there is a CA bundle that contains the issuer of the certificate used in the Kubelet API, + # remove ssl.verification_mode entry and use the CA, for instance: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt # Currently `proxy` metricset is not supported on Openshift, comment out section diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index a5774d876dc5..a244dda551a1 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -79,8 +79,8 @@ data: hosts: ["https://${NODE_NAME}:10250"] bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.verification_mode: "none" - # If there is a CA available to reach out the Kubelet API remove ssl.verification_mode entry and - # use the CA, for instance: + # If there is a CA bundle that contains the issuer of the certificate used in the Kubelet API, + # remove ssl.verification_mode entry and use the CA, for instance: #ssl.certificate_authorities: #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt # Currently `proxy` metricset is not supported on Openshift, comment out section