infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

fluent-bit: deploy DaemonSet

Browse Source 
This DaemonSet runs Fluent Bit on all nodes in the cluster.  The
ConfigMap that contains the pipeline configuration is actually managed
by Ansible, so that it can remain in sync with the configuration used by
Fluent Bit on non-Kubernetes nodes.
This commit is contained in:
Dustin
2025-11-28 21:26:42 -06:00
parent 3824f5f187
commit 707481c6fa
4 changed files with 160 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
fluent-bit/fluent-bit.yaml Normal file
View File

@@ -0,0 +1,87 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluent-bit
labels: &labels
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: fluent-bit
image: cr.fluentbit.io/fluent/fluent-bit
imagePullPolicy: IfNotPresent
args:
- -c
- /etc/fluent-bit/fluent-bit.yml
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- CAP_DAC_READ_SEARCH
volumeMounts:
- mountPath: /etc/fluent-bit
name: fluent-bit-config
readOnly: true
- mountPath: /etc/machine-id
name: machine-id
readOnly: true
- mountPath: /etc/pki/ca-trust/source/anchors
name: dch-ca
readOnly: true
- mountPath: /run/log
name: run-log
readOnly: true
- mountPath: /var/lib/fluent-bit
name: fluent-bit-data
- mountPath: /var/log
name: var-log
readOnly: true
dnsPolicy: ClusterFirstWithHostNet
securityContext:
seLinuxOptions:
type: spc_t
serviceAccountName: fluent-bit
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: dch-ca
configMap:
name: dch-root-ca
items:
- key: dch-root-ca.crt
path: dch-root-ca-r2.crt
- name: fluent-bit-config
configMap:
name: fluent-bit
- name: fluent-bit-data
hostPath:
path: /var/lib/fluent-bit
type: DirectoryOrCreate
- name: machine-id
hostPath:
path: /etc/machine-id
type: File
- name: run-log
hostPath:
path: /run/log
type: Directory
- name: var-log
hostPath:
path: /var/log
type: Directory

25
fluent-bit/kustomization.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: fluent-bit
labels:
- pairs:
app.kubernetes.io/instance: fluent-bit
includeTemplates: false
includeSelectors: true
- pairs:
app.kubernetes.io/part-of: fluent-bit
includeTemplates: true
includeSelectors: false
resources:
- namespace.yaml
- rbac.yaml
- fluent-bit.yaml
#- network-policy.yaml
- ../dch-root-ca
images:
- name: cr.fluentbit.io/fluent/fluent-bit
newTag: 3.2.8

6
fluent-bit/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit

42
fluent-bit/rbac.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fluent-bit
labels:
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/component: fluent-bit
rules:
- apiGroups:
- ''
resources:
- namespaces
- pods
- nodes
- nodes/proxy
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: fluent-bit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluent-bit
subjects:
- kind: ServiceAccount
name: fluent-bit
namespace: fluent-bit