Hi
My Rancher version is 2.3.5. Se below for workload yaml and container error related to my problem.
I’m trying to install filebeat without using rancher app (helm). I know that the helm chart for filebeat correctly creates a service account to access the kubernetes api, my manual setup don’t do this and therefor i get an error.
I would like to have complete control of the config, so creating the filebeat helm chart through rancher api is not what i want even if this solves my automation “problem”.
My entire deploy routine is based on using the rancher api, so is there any way i can allow filebeat workload access to kubernetes api without manually creating service account in kubectl? More specifically is there any way to make logstash work in rancher by only using workload yaml or rancher api.
Filebeat container error:
2020-02-07T12:19:05.189Z INFO instance/beat.go:606 Home path: [/usr/share/filebeat] Config path: [/usr/share/filebeat] Data path: [/usr/share/filebeat/data] Logs path: [/usr/share/filebeat/logs]
7.2.2020 13:19:05 2020-02-07T12:19:05.190Z INFO instance/beat.go:614 Beat ID: 6835c395-a511-4b0c-931e-e47d3e6bff7c
7.2.2020 13:19:05 2020-02-07T12:19:05.190Z INFO kubernetes/util.go:86 kubernetes: Using pod name filebeat-zw28r and namespace filebeat to discover kubernetes node
7.2.2020 13:19:05 2020-02-07T12:19:05.194Z ERROR kubernetes/util.go:90 kubernetes: Querying for pod failed with error: kubernetes api: Failure 403 pods "filebeat-zw28r" is forbidden: User "system:serviceaccount:filebeat:default" cannot get resource "pods" in API group "" in the namespace "filebeat"
7.2.2020 13:19:05 2020-02-07T12:19:05.194Z INFO kubernetes/watcher.go:182 kubernetes: Performing a resource sync for *v1.PodList
7.2.2020 13:19:05 2020-02-07T12:19:05.195Z ERROR kubernetes/watcher.go:185 kubernetes: Performing a resource sync err kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:filebeat:default" cannot list resource "pods" in API group "" at the cluster scope for *v1.PodList
7.2.2020 13:19:05 2020-02-07T12:19:05.195Z INFO instance/beat.go:366 filebeat stopped.
7.2.2020 13:19:05 2020-02-07T12:19:05.195Z ERROR instance/beat.go:877 Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:filebeat:default" cannot list resource "pods" in API group "" at the cluster scope
7.2.2020 13:19:05 Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:filebeat:default" cannot list resource "pods" in API group "" at the cluster scope
This is my workload yaml:
apiVersion: apps/v1
kind: DaemonSet
metadata:
generation: 1
labels:
cattle.io/creator: norman
workload.user.cattle.io/workloadselector: daemonSet-filebeat-filebeat
name: filebeat
namespace: filebeat
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
workload.user.cattle.io/workloadselector: daemonSet-filebeat-filebeat
template:
metadata:
labels:
workload.user.cattle.io/workloadselector: daemonSet-filebeat-filebeat
spec:
containers:
- args:
- -e
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: filebeat
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
image: docker.elastic.co/beats/filebeat:7.2.0
imagePullPolicy: IfNotPresent
name: filebeat
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
volumeMounts:
- mountPath: /var/log
name: varlog
readOnly: true
- mountPath: /var/lib/docker/containers
name: varlibdockercontainers
readOnly: true
- mountPath: /usr/share/filebeat/data
name: data
- mountPath: /usr/share/filebeat/filebeat.yml
name: filebeat-config
subPath: filebeat.yml
dnsConfig: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 60
volumes:
- hostPath:
path: /var/log
type: ""
name: varlog
- hostPath:
path: /var/lib/docker/containers
type: ""
name: varlibdockercontainers
- hostPath:
path: /var/lib/filebeat
type: ""
name: data
- configMap:
defaultMode: 420
name: filebeat-yml
optional: false
name: filebeat-config
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
status:
currentNumberScheduled: 3
desiredNumberScheduled: 3
numberMisscheduled: 0
numberReady: 0
numberUnavailable: 3
observedGeneration: 1
updatedNumberScheduled: 3