Logging Integrations
KubeArchive supports logging, but it is not a logging system itself and does not implement logging. Instead, KubeArchive integrates with logging systems and provide URLs for retrieving log files from the logging system for a specific Kubernetes resource.
It is important to note that logs are tied to Pods
. When a user requests the logs
for a Tekton PipelineRun
, what they expect to get back are the logs attached to the
that were part of the PipelineRun
. Similar cases exist for requesting logs for
and CronJobs
. KubeArchive handles this seamlessly for the user.
KubeArchiveConfig Configuration
KubeArchive retrieves log URLs using the owner references field of a resource.
When logs for a resource are requested, a query is made to find all the resources
that have that initial resource as an owner. Then each resource returned is
processed similarly, eventually building up a list of Pods
and from those a
list of log file links. This generic approach works for any resource.
A KubeArchiveConfig
needs to be configured correctly to support this, meaning it must
be configured so that the initial resource and any dependent resources, all the way
down to and including the Pods
, are archived.
Here’s a sample KubeArchiveConfig
as an example:
apiVersion: kubearchive.kubearchive.org/v1alpha1
kind: KubeArchiveConfig
name: kubearchive
namespace: test
- deleteWhen: has(status.completionTime)
apiVersion: ""
kind: CronJob
- archiveOnDelete: true
apiVersion: ""
kind: Pod
In this example, the CronJob
is configured to be archived and deleted when
the status contains a "completionTime" key. When that deletion happens,
kubernetes will in turn delete the associated Pod
. Since we have
configured archiveOnDelete
for Pods
to be true, KubeArchive will archive
the Pod
itself and generate the URLs for all the associated logs.
Here’s another sample KubeArchiveConfig
for PipelineRuns
apiVersion: kubearchive.kubearchive.org/v1alpha1
kind: KubeArchiveConfig
name: kubearchive
namespace: test
- selector:
apiVersion: tekton.dev/v1
kind: PipelineRun
deleteWhen: has(status.completionTime)
- selector:
apiVersion: tekton.dev/v1
kind: TaskRun
archiveOnDelete: true
- selector:
apiVersion: v1
kind: Pod
archiveOnDelete: has(body.metadata.labels["tekton.dev/pipeline"])
In this example the following happens:
are archived when they complete. -
are archived when they are deleted. -
are archived when they are deleted and are also part of a TektonPipeline
Configuring Log URL Generation
Logging URL generation in KubeArchive is controlled using the ConfigMap
named kubearchive-logging
in the KubeArchive installation namespace.
URLs are generated using parameters that allow the URL to point to the
specific log file associated with the given Pod
. This ConfigMap
requires a single entry, LOG_URL, whose string value will be interpolated
using the other variables defined in the ConfigMap
. For example, take
this ConfigMap
for Splunk:
apiVersion: v1
kind: ConfigMap
name: kubearchive-logging
namespace: kubearchive
POD_ID: cel:metadata.uid
POD: 'spath "kubernetes.pod_id" | search "kubernetes.pod_id"="{POD_ID}"'
CONTAINER: 'spath "kubernetes.container_name" | search "kubernetes.container_name"="{CONTAINER_NAME}"'
The value of each variable is either a string or a CEL expression. A value that begins with the prefix "cel:" will be evaluated as a CEL expression against the body of the cloud event (i.e. the resource) to determine the real value of that variable used in the substitution. For example:
When generating a log URL to be stored when a Pod
is archived, the following steps are done:
All variables containing CEL expression variables are evaluated against the
resource being archived. -
The value for LOG_URL is then interpolated recursively using the values in the
until no more substitutions are done, resulting in the final URL to the log in the logging system.
The variable |
The KubeArchive Sink is not aware of changes to the
Supported Logging Systems
KubeArchive currently integrates with both Splunk and Elasticsearch
Following is a sample ConfigMap
that generates log URLs for Elasticsearch.
apiVersion: v1
kind: ConfigMap
name: kubearchive-logging
namespace: kubearchive
# NOTE: CONTAINER_NAME is provided at URL generation time by KubeArchive.
POD_ID: "cel:metadata.uid"
LOG_URL: "https://localhost:9200/fluentd/_search?_source_includes=message&size=10000&sort=_doc&q=kubernetes.pod_id:{POD_ID}%20AND%20kubernetes.container_name:{CONTAINER_NAME}"
LOG_URL_JSONPATH: "$.hits.hits[*]._source.message"
Following is a sample ConfigMap
for generating URLs for Splunk.
apiVersion: v1
kind: ConfigMap
name: kubearchive-logging
namespace: kubearchive
# NOTE: CONTAINER_NAME is provided at URL generation time by KubeArchive.
POD_ID: "cel:metadata.uid"
LOG_URL: "https://localhost:8089/services/search/jobs/export?search=search%20%2A%20%7C%20spath%20%22kubernetes.pod_id%22%20%7C%20search%20%22kubernetes.pod_id%22%3D%22{POD_ID}%22%20%7C%20spath%20%22kubernetes.container_name%22%20%7C%20search%20%22kubernetes.container_name%22%3D%22{CONTAINER_NAME}%22%20%7C%20sort%20time%20%7C%20table%20%22message%22&output_mode=json"
LOG_URL_JSONPATH: "$[*].result.message"