diff --git a/fluent-bit/fluent-bit.yaml b/fluent-bit/fluent-bit.yaml new file mode 100644 index 0000000..d03b0ab --- /dev/null +++ b/fluent-bit/fluent-bit.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluent-bit + labels: &labels + app.kubernetes.io/name: fluent-bit + app.kubernetes.io/component: fluent-bit +spec: + selector: + matchLabels: *labels + template: + metadata: + labels: *labels + spec: + containers: + - name: fluent-bit + image: cr.fluentbit.io/fluent/fluent-bit + imagePullPolicy: IfNotPresent + args: + - -c + - /etc/fluent-bit/fluent-bit.yml + env: + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - CAP_DAC_READ_SEARCH + volumeMounts: + - mountPath: /etc/fluent-bit + name: fluent-bit-config + readOnly: true + - mountPath: /etc/machine-id + name: machine-id + readOnly: true + - mountPath: /etc/pki/ca-trust/source/anchors + name: dch-ca + readOnly: true + - mountPath: /run/log + name: run-log + readOnly: true + - mountPath: /var/lib/fluent-bit + name: fluent-bit-data + - mountPath: /var/log + name: var-log + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + securityContext: + seLinuxOptions: + type: spc_t + serviceAccountName: fluent-bit + tolerations: + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - name: dch-ca + configMap: + name: dch-root-ca + items: + - key: dch-root-ca.crt + path: dch-root-ca-r2.crt + - name: fluent-bit-config + configMap: + name: fluent-bit + - name: fluent-bit-data + hostPath: + path: /var/lib/fluent-bit + type: DirectoryOrCreate + - name: machine-id + hostPath: + path: /etc/machine-id + type: File + - name: run-log + hostPath: + path: /run/log + type: Directory + - name: var-log + hostPath: + path: /var/log + type: Directory diff --git a/fluent-bit/kustomization.yaml b/fluent-bit/kustomization.yaml new file mode 100644 index 0000000..c0c43ab --- /dev/null +++ b/fluent-bit/kustomization.yaml @@ -0,0 +1,25 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: fluent-bit + +labels: +- pairs: + app.kubernetes.io/instance: fluent-bit + includeTemplates: false + includeSelectors: true +- pairs: + app.kubernetes.io/part-of: fluent-bit + includeTemplates: true + includeSelectors: false + +resources: +- namespace.yaml +- rbac.yaml +- fluent-bit.yaml +#- network-policy.yaml +- ../dch-root-ca + +images: +- name: cr.fluentbit.io/fluent/fluent-bit + newTag: 3.2.8 diff --git a/fluent-bit/namespace.yaml b/fluent-bit/namespace.yaml new file mode 100644 index 0000000..725f7af --- /dev/null +++ b/fluent-bit/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: fluent-bit + labels: + app.kubernetes.io/name: fluent-bit diff --git a/fluent-bit/rbac.yaml b/fluent-bit/rbac.yaml new file mode 100644 index 0000000..c8ad467 --- /dev/null +++ b/fluent-bit/rbac.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fluent-bit + labels: + app.kubernetes.io/name: fluent-bit + app.kubernetes.io/component: fluent-bit + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fluent-bit + labels: + app.kubernetes.io/name: fluent-bit + app.kubernetes.io/component: fluent-bit +rules: +- apiGroups: + - '' + resources: + - namespaces + - pods + - nodes + - nodes/proxy + verbs: + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fluent-bit +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fluent-bit +subjects: + - kind: ServiceAccount + name: fluent-bit + namespace: fluent-bit