search

aws / eks-charts

Amazon EKS Helm chart repository
Apache License 2.0
1.2k stars 958 forks source link

aws-for-fluent-bit errors when disabling firehose, kinesis, and elastisearch plugins #751

Open jallen-frb opened 2 years ago

jallen-frb commented 2 years ago

Describe the bug When using aws-for-fluent-bit helm chart, I disable everything but the cloudwatch plugin. This makes the container dump out errors for the other services.

  aws-for-fluent-bit:
    enabled: true
    source:
      repoURL: https://aws.github.io/eks-charts
      targetRevision: 0.1.16
      chart: aws-for-fluent-bit
      helm:
        cloudwatch:
          enabled: true
          region: us-east-1
        firehose:
          enabled: false
        kinesis:
          enabled: false
        elasticsearch:
          enabled: false
        tolerations:
          - key: "node-role.kubernetes.io/master"
            operator: "Exists"
            effect: "NoSchedule"
          - operator: "Exists"
            effect: "NoExecute"
          - operator: "Exists"
            effect: "NoSchedule"
        serviceAccount:
          create: true
          name: aws-for-fluent-bit-sa
          annotations:
            eks.amazonaws.com/role-arn: <my-role>

logs I get (redacted):

time="2022-05-11T12:20:07Z" level=error msg="[kinesis 0] PutRecords failed with AccessDeniedException: User: <my-role> is not authorized to perform: kinesis:PutRecords on resource: <a-kinesis-stream> because no identity-based policy allows the kinesis:PutRecords action\n\tstatus code: 400, request id: <request-id>\n"
time="2022-05-11T12:20:07Z" level=error msg="[kinesis 0] AccessDeniedException: User: is not authorized to perform: kinesis:PutRecords on resource:  because no identity-based policy allows the kinesis:PutRecords action\n\tstatus code: 400, request id: \n"
[2022/05/11 12:20:07] [ warn] [engine] chunk '1-1652271597.188086791.flb' cannot be retried: task_id=22, input=tail.0 > output=firehose.1
[2022/05/11 12:20:07] [ warn] [engine] chunk '1-1652271597.188086791.flb' cannot be retried: task_id=22, input=tail.0 > output=kinesis.2
[2022/05/11 12:20:07] [ warn] [engine] failed to flush chunk '1-1652271597.188086791.flb', retry in 10 seconds: task_id=22, input=tail.0 > output=es.3 (out_id=3)
[2022/05/11 12:20:09] [ warn] [engine] chunk '1-1652271281.422029229.flb' cannot be retried: task_id=21, input=tail.0 > output=es.3
[2022/05/11 12:20:09] [ info] [input] tail.0 resume (storage buf overlimit 22/128)
[2022/05/11 12:20:09] [ warn] [input] tail.0 paused (mem buf overlimit)
time="2022-05-11T12:20:11Z" level=error msg="[firehose 0] PutRecordBatch failed with AccessDeniedException: User:  is not authorized to perform: firehose:PutRecordBatch on resource:  because no identity-based policy allows the firehose:PutRecordBatch action\n\tstatus code: 400, request id: "
time="2022-05-11T12:20:11Z" level=error msg="[firehose 0] AccessDeniedException: User:  is not authorized to perform: firehose:PutRecordBatch on resource:  because no identity-based policy allows the firehose:PutRecordBatch action\n\tstatus code: 400, request id: \n"

Steps to reproduce Disable the firehose, kinesis, and elastisearch plugins and look at pod logs.

Expected outcome The firehose, kinesis, and elastisearch plugins are disabled with no pod log errors

Environment

Additional Context:

alt-dima commented 2 years ago

interesting. Do you see those errors every second or just when fluentbit starts? Fluentbit do not work at all?

This is my configuration and it works fine (helm 0.1.17, eks 1.22)

cloudWatch:
  enabled: false

firehose:
  enabled: false

kinesis:
  enabled: false

elasticsearch:
  enabled: false

additionalOutputs: |
  [OUTPUT]
      Name                kafka
johncmerfeld commented 1 year ago

In my case the above fixed it. I hadn't explicitly disabled elasticsearch