promtail: Deploy as DaemonSet

Running Promtail in a pod controlled by a DaemonSet allows it to access the Kubernetes API via a ServiceAccount token. Since it needs the API in order to discover the Pods running on the current node in order to find their log files, this makes the authentication process a lot simpler.
2024-02-21 07:58:56 -06:00
parent 5e4ab1d988
commit 815eefdcf9
4 changed files with 295 additions and 0 deletions
--- a/promtail/promtail.yaml
+++ b/promtail/promtail.yaml
@@ -0,0 +1,137 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  labels:
+    app.kubernetes.io/name: promtail
+    app.kubernetes.io/component: promtail
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: promtail
+  labels:
+    app.kubernetes.io/name: promtail
+    app.kubernetes.io/component: promtail
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: promtail
+  labels:
+    app.kubernetes.io/name: promtail
+    app.kubernetes.io/component: promtail
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: promtail
+subjects:
+- kind: ServiceAccount
+  name: promtail
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  labels:
+    app.kubernetes.io/name: promtail
+    app.kubernetes.io/component: promtail
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+      app.kubernetes.io/component: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+        app.kubernetes.io/component: promtail
+    spec:
+      containers:
+      - name: promtail
+        image: docker.io/grafana/promtail:2.9.4
+        args:
+        - -config.file=/etc/promtail/config.yml
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        ports:
+        - containerPort: 9080
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /ready
+          periodSeconds: 60
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          successThreshold: 1
+          failureThreshold: 30
+          timeoutSeconds: 1
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/machine-id
+          name: machine-id
+          readOnly: true
+        - mountPath: /etc/promtail
+          name: config
+          readOnly: true
+        - mountPath: /run/log
+          name: run-log
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+        - mountPath: /var/lib/promtail
+          name: promtail
+        - mountPath: /var/log
+          name: var-log
+          readOnly: true
+      securityContext:
+        seLinuxOptions:
+          # confined containers do not have access to /var/log
+          type: spc_t
+      serviceAccountName: promtail
+      tolerations:
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        configMap:
+          name: promtail
+      - name: machine-id
+        hostPath:
+          path: /etc/machine-id
+          type: File
+      - name: promtail
+        hostPath:
+          path: /var/lib/promtail
+          type: DirectoryOrCreate
+      - name: run-log
+        hostPath:
+          path: /run/log
+          type: Directory
+      - name: tmp
+        emptyDir: {}
+      - name: var-log
+        hostPath:
+          path: /var/log
+          type: Directory