search

fluent-plugins-nursery / fluent-plugin-cloudwatch-logs

CloudWatch Logs Plugin for Fluentd
MIT License
201 stars 141 forks source link

Ability to configure regional AWS sts endpoint #206

Closed eriklupander closed 3 years ago

eriklupander commented 3 years ago

Problem

I would like to be able to configure this plug-in to use a regional AWS STS endpoint in order to use a restrictive network security policy. Currently, a call is made to the global https://sts.amazonaws.com endpoint which makes using VPC endpoint on a private subnet infeasible. (more details further down)

Steps to replicate

One can quite easily reproduce this problem by not allowing egress network traffic to whatever IP-range the plugin needs to communicate with for AWS sts or logs endpoints.

Our egress NSP:

egress:
    - to:
      - ipBlock:
          cidr: 192.168.0.0/16
      - ipBlock:
          cidr: 10.100.0.0/16
      ports:
      - port: 443
    - to:                 
      - namespaceSelector:
          matchLabels:
            name: kube-system
      - podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53

Error from fluentd.log:

2020-10-16 13:10:59 +0000 [error]: #0 unexpected error error_class=Seahorse::Client::NetworkingError error="execution expired"
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:947:in `initialize'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:947:in `open'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:947:in `block in connect'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/timeout.rb:103:in `timeout'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:945:in `connect'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:930:in `do_start'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/net/http.rb:925:in `start'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/delegate.rb:83:in `method_missing'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/net_http/connection_pool.rb:297:in `start_session'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/net_http/connection_pool.rb:96:in `session_for'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/net_http/handler.rb:121:in `session'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/net_http/handler.rb:73:in `transmit'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/net_http/handler.rb:47:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/plugins/content_length.rb:17:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/xml/error_handler.rb:8:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/transfer_encoding.rb:26:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:177:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:208:in `retry_request'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:191:in `retry_if_possible'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:179:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:208:in `retry_request'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:191:in `retry_if_possible'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:179:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:208:in `retry_request'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:191:in `retry_if_possible'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/retry_errors.rb:179:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/query/handler.rb:28:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/user_agent.rb:13:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/endpoint_pattern.rb:28:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:78:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/plugins/endpoint.rb:45:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/param_validator.rb:24:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/plugins/response_target.rb:23:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/request.rb:70:in `send_request'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-sts/client.rb:1183:in `assume_role_with_web_identity'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/assume_role_web_identity_credentials.rb:68:in `refresh'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/refreshing_credentials.rb:20:in `initialize'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/assume_role_web_identity_credentials.rb:56:in `initialize'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/credential_provider_chain.rb:97:in `new'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/credential_provider_chain.rb:97:in `assume_role_web_identity_credentials'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/credential_provider_chain.rb:12:in `block in resolve'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/credential_provider_chain.rb:11:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/credential_provider_chain.rb:11:in `resolve'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/aws-sdk-core/plugins/credentials_configuration.rb:53:in `block in <class:CredentialsConfiguration>'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:70:in `call'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:213:in `block in resolve_defaults'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:57:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:57:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:212:in `resolve_defaults'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:205:in `value_at'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:189:in `block in resolve'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/set.rb:338:in `each_key'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/set.rb:338:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:189:in `resolve'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:177:in `apply_defaults'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/configuration.rb:150:in `build!'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/base.rb:62:in `build_config'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/base.rb:19:in `initialize'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-cloudwatchlogs-1.25.0/lib/aws-sdk-cloudwatchlogs/client.rb:262:in `initialize'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/aws-sdk-core-3.68.0/lib/seahorse/client/base.rb:99:in `new'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-cloudwatch-logs-0.7.4/lib/fluent/plugin/out_cloudwatch_logs.rb:101:in `start'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:203:in `block in start'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:182:in `block (2 levels) in lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/agent.rb:119:in `block (2 levels) in lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/agent.rb:118:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/agent.rb:118:in `block in lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/agent.rb:111:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/agent.rb:111:in `lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:181:in `block in lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:178:in `each'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:178:in `lifecycle'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/root_agent.rb:202:in `start'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/engine.rb:274:in `start'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/engine.rb:219:in `run'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/supervisor.rb:808:in `run_engine'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/supervisor.rb:551:in `block in run_worker'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/supervisor.rb:733:in `main_process'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/supervisor.rb:546:in `run_worker'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/lib/fluent/command/fluentd.rb:320:in `<top (required)>'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
  2020-10-16 13:10:59 +0000 [error]: #0 /usr/local/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.7.3/bin/fluentd:8:in `<top (required)>'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/bin/fluentd:23:in `load'
  2020-10-16 13:10:59 +0000 [error]: #0 /fluentd/vendor/bundle/ruby/2.6.0/bin/fluentd:23:in `<main>'
2020-10-16 13:10:59 +0000 [error]: #0 unexpected error error_class=Seahorse::Client::NetworkingError error="execution expired"
  2020-10-16 13:10:59 +0000 [error]: #0 suppressed same stacktrace
2020-10-16 13:10:59 +0000 [info]: Worker 0 finished unexpectedly with status 1

Expected Behavior or What you need to ask

I'm currently trying to create a strict Network Security Policy (NSP) for running this plug-in on AWS EKS as a daemonset. Without a NSP, everything works just fine.

I've almost nailed the NSP down by allowing egress traffic UDP/TCP to port 53 for DNS, to 10.100.0.0/16 port 443 for K8S API calls and to 192.168.0.0/16 for service calls to VPC endpoints such as logs.{REGION}.amazonaws.com and sts.{REGION}.amazonaws.com.

My remaining issue is that during startup, fluentd (or this plugin) tries to call https://sts.amazonaws.com which results in a request to (for example) 54.239.29.25:443. If I allow egress to 54.0.0.0/8 it works OK, but that's too permissive and I don't trust those IPs to stay static.

It boils to down that I would like to be able to configure this plug-in to use a regional sts endpoint (for example, see https://github.com/awslabs/aws-fluent-plugin-kinesis/blob/master/README.md and its sts_endpoint_url config property) which could make it possible to utilize a configured VPC endpoint for "sts" at a 192.168.0.0/16 or other subnet IP range.

One cannot AFAIK set up a VPC endpoint for a non-regional AWS service endpoint.

I've looked at https://github.com/aws/aws-sdk-ruby/ and have tried setting all AWS_REGION etc environment variables to no avail and also tried setting aws_use_sts to both true / false which doesn't affect the outcome.

Of course, any good workarounds or other tips would be appreciated too!

Using Fluentd and CloudWatchLogs plugin versions

Boot log:

2020-10-16 13:09:55 +0000 [info]: parsing config file is succeeded path="/fluentd/etc/fluent.conf"
2020-10-16 13:09:56 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:56 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:56 +0000 [warn]: 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:56 +0000 [info]: using configuration file: <ROOT>
  <source>
    @type tail
    @id in_tail_container_logs
    @label @containers
    path "/var/log/containers/*.log"
    exclude_path ["/var/log/containers/cloudwatch-agent*","/var/log/containers/fluentd*"]
    pos_file "/var/log/fluentd-containers.log.pos"
    tag "*"
    read_from_head true
    <parse>
      @type "json"
      time_format "%Y-%m-%dT%H:%M:%S.%NZ"
      time_type string
    </parse>
  </source>
  <source>
    @type tail
    @id in_tail_cwagent_logs
    @label @cwagentlogs
    path "/var/log/containers/cloudwatch-agent*"
    pos_file "/var/log/cloudwatch-agent.log.pos"
    tag "*"
    read_from_head true
    <parse>
      @type "json"
      time_format "%Y-%m-%dT%H:%M:%S.%NZ"
      time_type string
    </parse>
  </source>
  <source>
    @type tail
    @id in_tail_fluentd_logs
    @label @fluentdlogs
    path "/var/log/containers/fluentd*"
    pos_file "/var/log/fluentd.log.pos"
    tag "*"
    read_from_head true
    <parse>
      @type "json"
      time_format "%Y-%m-%dT%H:%M:%S.%NZ"
      time_type string
    </parse>
  </source>
  <label @fluentdlogs>
    <filter **>
      @type kubernetes_metadata
      @id filter_kube_metadata_fluentd
    </filter>
    <filter **>
      @type record_transformer
      @id filter_fluentd_stream_transformer
      <record>
        stream_name ${tag_parts[3]}
      </record>
    </filter>
    <match **>
      @type relabel
      @label @NORMAL
    </match>
  </label>
  <label @containers>
    <filter **>
      @type kubernetes_metadata
      @id filter_kube_metadata
    </filter>
    <filter **>
      @type record_transformer
      @id filter_containers_stream_transformer
      <record>
        stream_name ${tag_parts[3]}
      </record>
    </filter>
    <filter **>
      @type concat
      key "log"
      multiline_start_regexp "/^\\S/"
      separator ""
      flush_interval 5
      timeout_label "@NORMAL"
    </filter>
    <match **>
      @type relabel
      @label @NORMAL
    </match>
  </label>
  <label @cwagentlogs>
    <filter **>
      @type kubernetes_metadata
      @id filter_kube_metadata_cwagent
    </filter>
    <filter **>
      @type record_transformer
      @id filter_cwagent_stream_transformer
      <record>
        stream_name ${tag_parts[3]}
      </record>
    </filter>
    <filter **>
      @type concat
      key "log"
      multiline_start_regexp "/^\\d{4}[-/]\\d{1,2}[-/]\\d{1,2}/"
      separator ""
      flush_interval 5
      timeout_label "@NORMAL"
    </filter>
    <match **>
      @type relabel
      @label @NORMAL
    </match>
  </label>
  <label @NORMAL>
    <match **>
      @type cloudwatch_logs
      @id out_cloudwatch_logs_containers
      region "eu-west-1"
      log_group_name "/aws/containerinsights/our-cluster-1/application"
      log_stream_name_key "stream_name"
      remove_log_stream_name_key true
      auto_create_stream true
      <buffer>
        flush_interval 5
        chunk_limit_size 2m
        queued_chunks_limit_size 32
        retry_forever true
      </buffer>
    </match>
  </label>
  <source>
    @type systemd
    @id in_systemd_kubelet
    @label @systemd
    filters [{"_SYSTEMD_UNIT":"kubelet.service"}]
    path "/var/log/journal"
    read_from_head true
    tag "kubelet.service"
    <entry>
      field_map {"MESSAGE":"message","_HOSTNAME":"hostname","_SYSTEMD_UNIT":"systemd_unit"}
      field_map_strict true
    </entry>
    <storage>
      @type "local"
      persistent true
      path "/var/log/fluentd-journald-kubelet-pos.json"
    </storage>
  </source>
  <source>
    @type systemd
    @id in_systemd_kubeproxy
    @label @systemd
    filters [{"_SYSTEMD_UNIT":"kubeproxy.service"}]
    path "/var/log/journal"
    read_from_head true
    tag "kubeproxy.service"
    <entry>
      field_map {"MESSAGE":"message","_HOSTNAME":"hostname","_SYSTEMD_UNIT":"systemd_unit"}
      field_map_strict true
    </entry>
    <storage>
      @type "local"
      persistent true
      path "/var/log/fluentd-journald-kubeproxy-pos.json"
    </storage>
  </source>
  <source>
    @type systemd
    @id in_systemd_docker
    @label @systemd
    filters [{"_SYSTEMD_UNIT":"docker.service"}]
    path "/var/log/journal"
    read_from_head true
    tag "docker.service"
    <entry>
      field_map {"MESSAGE":"message","_HOSTNAME":"hostname","_SYSTEMD_UNIT":"systemd_unit"}
      field_map_strict true
    </entry>
    <storage>
      @type "local"
      persistent true
      path "/var/log/fluentd-journald-docker-pos.json"
    </storage>
  </source>
  <label @systemd>
    <filter **>
      @type kubernetes_metadata
      @id filter_kube_metadata_systemd
    </filter>
    <filter **>
      @type record_transformer
      @id filter_systemd_stream_transformer
      <record>
        stream_name ${tag}-${record["hostname"]}
      </record>
    </filter>
    <match **>
      @type cloudwatch_logs
      @id out_cloudwatch_logs_systemd
      region "eu-west-1"
      log_group_name "/aws/containerinsights/our-cluster-1/dataplane"
      log_stream_name_key "stream_name"
      auto_create_stream true
      remove_log_stream_name_key true
      <buffer>
        flush_interval 5
        chunk_limit_size 2m
        queued_chunks_limit_size 32
        retry_forever true
      </buffer>
    </match>
  </label>
  <source>
    @type tail
    @id in_tail_dmesg
    @label @hostlogs
    path "/var/log/dmesg"
    pos_file "/var/log/dmesg.log.pos"
    tag "host.dmesg"
    read_from_head true
    <parse>
      @type "syslog"
    </parse>
  </source>
  <source>
    @type tail
    @id in_tail_secure
    @label @hostlogs
    path "/var/log/secure"
    pos_file "/var/log/secure.log.pos"
    tag "host.secure"
    read_from_head true
    <parse>
      @type "syslog"
    </parse>
  </source>
  <source>
    @type tail
    @id in_tail_messages
    @label @hostlogs
    path "/var/log/messages"
    pos_file "/var/log/messages.log.pos"
    tag "host.messages"
    read_from_head true
    <parse>
      @type "syslog"
    </parse>
  </source>
  <label @hostlogs>
    <filter **>
      @type kubernetes_metadata
      @id filter_kube_metadata_host
    </filter>
    <filter **>
      @type record_transformer
      @id filter_containers_stream_transformer_host
      <record>
        stream_name ${tag}-${record["host"]}
      </record>
    </filter>
    <match host.**>
      @type cloudwatch_logs
      @id out_cloudwatch_logs_host_logs
      region "eu-west-1"
      log_group_name "/aws/containerinsights/our-cluster-1/host"
      log_stream_name_key "stream_name"
      remove_log_stream_name_key true
      auto_create_stream true
      <buffer>
        flush_interval 5
        chunk_limit_size 2m
        queued_chunks_limit_size 32
        retry_forever true
      </buffer>
    </match>
  </label>
  <match fluent.**>
    @type null
  </match>
</ROOT>
2020-10-16 13:09:56 +0000 [info]: starting fluentd-1.7.3 pid=6 ruby="2.6.4"
2020-10-16 13:09:56 +0000 [info]: spawn command to main:  cmdline=["/usr/local/bin/ruby", "-Eascii-8bit:ascii-8bit", "/fluentd/vendor/bundle/ruby/2.6.0/bin/fluentd", "-c", "/fluentd/etc/fluent.conf", "-p", "/fluentd/plugins", "--gemfile", "/fluentd/Gemfile", "--under-supervisor"]
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-cloudwatch-logs' version '0.7.4'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-concat' version '2.3.0'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-grok-parser' version '2.5.1'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-json-in-json-2' version '1.0.2'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '2.3.0'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-multi-format-parser' version '1.0.0'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-prometheus' version '1.5.0'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-record-modifier' version '2.0.1'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '2.2.0'
2020-10-16 13:09:56 +0000 [info]: gem 'fluent-plugin-systemd' version '1.0.2'
2020-10-16 13:09:56 +0000 [info]: gem 'fluentd' version '1.7.3'
2020-10-16 13:09:56 +0000 [info]: adding filter in @fluentdlogs pattern="**" type="kubernetes_metadata"
2020-10-16 13:09:56 +0000 [info]: adding filter in @fluentdlogs pattern="**" type="record_transformer"
2020-10-16 13:09:56 +0000 [info]: adding match in @fluentdlogs pattern="**" type="relabel"
2020-10-16 13:09:56 +0000 [info]: adding filter in @containers pattern="**" type="kubernetes_metadata"
2020-10-16 13:09:56 +0000 [info]: adding filter in @containers pattern="**" type="record_transformer"
2020-10-16 13:09:56 +0000 [info]: adding filter in @containers pattern="**" type="concat"
2020-10-16 13:09:57 +0000 [info]: adding match in @containers pattern="**" type="relabel"
2020-10-16 13:09:57 +0000 [info]: adding filter in @cwagentlogs pattern="**" type="kubernetes_metadata"
2020-10-16 13:09:57 +0000 [info]: adding filter in @cwagentlogs pattern="**" type="record_transformer"
2020-10-16 13:09:57 +0000 [info]: adding filter in @cwagentlogs pattern="**" type="concat"
2020-10-16 13:09:57 +0000 [info]: adding match in @cwagentlogs pattern="**" type="relabel"
2020-10-16 13:09:57 +0000 [info]: adding match in @NORMAL pattern="**" type="cloudwatch_logs"
2020-10-16 13:09:57 +0000 [info]: adding filter in @systemd pattern="**" type="kubernetes_metadata"
2020-10-16 13:09:57 +0000 [info]: adding filter in @systemd pattern="**" type="record_transformer"
2020-10-16 13:09:57 +0000 [info]: adding match in @systemd pattern="**" type="cloudwatch_logs"
2020-10-16 13:09:57 +0000 [info]: adding filter in @hostlogs pattern="**" type="kubernetes_metadata"
2020-10-16 13:09:57 +0000 [info]: adding filter in @hostlogs pattern="**" type="record_transformer"
2020-10-16 13:09:57 +0000 [info]: adding match in @hostlogs pattern="host.**" type="cloudwatch_logs"
2020-10-16 13:09:57 +0000 [info]: adding match pattern="fluent.**" type="null"
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: adding source type="systemd"
2020-10-16 13:09:57 +0000 [warn]: #0 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:57 +0000 [info]: adding source type="systemd"
2020-10-16 13:09:57 +0000 [warn]: #0 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:57 +0000 [info]: adding source type="systemd"
2020-10-16 13:09:57 +0000 [warn]: #0 'filters' parameter is deprecated: filters has been renamed as matches
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: adding source type="tail"
2020-10-16 13:09:57 +0000 [info]: #0 starting fluentd worker pid=19 ppid=6 worker=0

Thanks!

cosmo0920 commented 3 years ago

I'd created a patch for this issue: #208 BTW, I'd supported IRSA credentails on fluent-plugin-cloudwatch-logs v0.11.0. If you use this plugin on EKS, using IRSA to obtain credentails is better to strict services permissions: https://aws.amazon.com/jp/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

To handle IRSA credentials in this plugin, use the following configuration for retrieving credentials:

region eu-west-1
<web_identity_credentials>
  role_arn          "#{ENV['AWS_ROLE_ARN']}"
  role_session_name awesome-cloudwatch-logs-session-name
  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
</web_identity_credentials>
eriklupander commented 3 years ago

Thanks for the quick reply and patch. I'll take a look at IRSA for our purpose as well, thanks!