--- apiVersion: beat.k8s.elastic.co/v1beta1 kind: Beat metadata: name: metricbeat namespace: logging spec: type: metricbeat version: 8.5.0 elasticsearchRef: name: cluster kibanaRef: name: kibana config: metricbeat: autodiscover: providers: - hints: default_config: {} enabled: "true" node: ${NODE_NAME} type: kubernetes modules: - module: system period: 10s metricsets: - cpu - load - memory - network - process - process_summary process: include_top_n: by_cpu: 5 by_memory: 5 processes: - .* - module: system period: 1m metricsets: - filesystem - fsstat processors: - drop_event: when: regexp: system: filesystem: mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib)($|/) - module: kubernetes period: 10s node: ${NODE_NAME} hosts: - https://${NODE_NAME}:10250 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl: verification_mode: none metricsets: - node - system - pod - container - volume processors: - add_cloud_metadata: {} - add_host_metadata: {} daemonSet: podTemplate: spec: serviceAccountName: metricbeat automountServiceAccountToken: true # some older Beat versions are depending on this settings presence in k8s context containers: - args: - -e - -c - /etc/beat.yml - -system.hostfs=/hostfs name: metricbeat volumeMounts: - mountPath: /hostfs/sys/fs/cgroup name: cgroup - mountPath: /var/run/docker.sock name: dockersock - mountPath: /hostfs/proc name: proc env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName dnsPolicy: ClusterFirstWithHostNet hostNetwork: true # Allows to provide richer host metadata securityContext: runAsUser: 0 terminationGracePeriodSeconds: 30 volumes: - hostPath: path: /sys/fs/cgroup name: cgroup - hostPath: path: /var/run/docker.sock name: dockersock - hostPath: path: /proc name: proc --- # permissions needed for metricbeat # source: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kubernetes.html apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metricbeat rules: - apiGroups: - "" resources: - nodes - namespaces - events - pods verbs: - get - list - watch - apiGroups: - "extensions" resources: - replicasets verbs: - get - list - watch - apiGroups: - apps resources: - statefulsets - deployments - replicasets verbs: - get - list - watch - apiGroups: - "" resources: - nodes/stats verbs: - get - nonResourceURLs: - /metrics verbs: - get --- apiVersion: v1 kind: ServiceAccount metadata: name: metricbeat namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metricbeat subjects: - kind: ServiceAccount name: metricbeat namespace: default roleRef: kind: ClusterRole name: metricbeat apiGroup: rbac.authorization.k8s.io --- --- apiVersion: beat.k8s.elastic.co/v1beta1 kind: Beat metadata: name: filebeat spec: type: filebeat version: 8.5.0 elasticsearchRef: name: elasticsearch kibanaRef: name: kibana config: filebeat: autodiscover: providers: - type: kubernetes node: ${NODE_NAME} hints: enabled: true default_config: type: container paths: - /var/log/containers/*${data.kubernetes.container.id}.log processors: - add_cloud_metadata: {} - add_host_metadata: {} daemonSet: podTemplate: spec: serviceAccountName: filebeat automountServiceAccountToken: true terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true # Allows to provide richer host metadata containers: - name: filebeat securityContext: runAsUser: 0 # If using Red Hat OpenShift uncomment this: #privileged: true volumeMounts: - name: varlogcontainers mountPath: /var/log/containers - name: varlogpods mountPath: /var/log/pods - name: varlibdockercontainers mountPath: /var/lib/docker/containers env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumes: - name: varlogcontainers hostPath: path: /var/log/containers - name: varlogpods hostPath: path: /var/log/pods - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: filebeat rules: - apiGroups: [""] # "" indicates the core API group resources: - namespaces - pods - nodes verbs: - get - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: filebeat namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: filebeat subjects: - kind: ServiceAccount name: filebeat namespace: default roleRef: kind: ClusterRole name: filebeat apiGroup: rbac.authorization.k8s.io --- --- apiVersion: beat.k8s.elastic.co/v1beta1 kind: Beat metadata: name: journalbeat namespace: logging spec: type: journalbeat version: 7.15.2 # last release of Journalbeat elasticsearchRef: name: cluster config: journalbeat.inputs: - paths: [] seek: cursor cursor_seek_fallback: tail processors: - add_cloud_metadata: {} - add_host_metadata: {} daemonSet: podTemplate: spec: automountServiceAccountToken: true # some older Beat versions are depending on this settings presence in k8s context dnsPolicy: ClusterFirstWithHostNet containers: - name: journalbeat volumeMounts: - mountPath: /var/log/journal name: var-journal - mountPath: /run/log/journal name: run-journal - mountPath: /etc/machine-id name: machine-id hostNetwork: true # Allows to provide richer host metadata securityContext: runAsUser: 0 terminationGracePeriodSeconds: 30 volumes: - hostPath: path: /var/log/journal name: var-journal - hostPath: path: /run/log/journal name: run-journal - hostPath: path: /etc/machine-id name: machine-id