Kubernetes を起動、実行、スケールするマネージドサービス
コントロールプレーンログ
EKSコントロールプレーンのログをCloudWatch Logsに送信できる
出典: Send control plane logs to CloudWatch Logs - Amazon EKS
Amazon EKS control plane logging is a feature that allows users to send logs from the Amazon EKS control plane to CloudWatch Logs in their account. This service provides audit and diagnostic logs for securing and managing clusters.
出力できるログタイプ
5種類のコントロールプレーンログを選択して有効化できる
出典: Send control plane logs to CloudWatch Logs - Amazon EKS
| ログタイプ | 説明 | 公式ドキュメントより |
|---|---|---|
API server (api) | Kubernetes APIを公開するコントロールプレーンコンポーネント | ”Your cluster’s API server is the control plane component that exposes the Kubernetes API.” |
Audit (audit) | クラスターに影響を与えたユーザー、管理者、システムコンポーネントの記録 | ”Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster.” |
Authenticator (authenticator) | Amazon EKS固有。IAM認証情報を使用したKubernetes RBACの認証コンポーネント | ”Authenticator logs are unique to Amazon EKS. These logs represent the control plane component that Amazon EKS uses for Kubernetes Role Based Access Control (RBAC) authentication using IAM credentials.” |
Controller manager (controllerManager) | Kubernetesに同梱されているコアコントロールループを管理 | ”The controller manager manages the core control loops that are shipped with Kubernetes.” |
Scheduler (scheduler) | クラスター内でPodをいつどこで実行するかを管理 | ”The scheduler component manages when and where to run Pods in your cluster.” |
有効化方法
AWS CLIの場合:
aws eks update-cluster-config \
--name <cluster-name> \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'eksctlの場合(ClusterConfig):
cloudWatch:
clusterLogging:
enableTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"]
logRetentionInDays: 7出典: CloudWatch logging - Eksctl User Guide
CloudWatch logging is not enabled by default due to data ingestion and storage costs. To enable it, users must define the
cloudWatch.clusterLogging.enableTypessetting in theirClusterConfigfile.
注意点
出典: Send control plane logs to CloudWatch Logs - Amazon EKS
- デフォルトでは無効
“By default, cluster control plane logs aren’t sent to CloudWatch Logs.”
- ログはロググループ
/aws/eks/<cluster-name>/clusterに送信される
“Choose the cluster that you want to view logs for. The log group name format is
/aws/eks/my-cluster/cluster.”
- 配信は数分以内だが、ベストエフォート
“Amazon EKS control plane logs are delivered to CloudWatch Logs within a few minutes. However, log delivery is best effort, so logs may be delayed beyond the typical delivery times.”