FluentBit 设置

FluentBit setup

我正在尝试通过 this 模块在 Terraform 中为我的 EKS 集群设置 FluentBit,我有几个问题:

cluster_identity_oidc_issuer - 这是什么?坦率地说,我只是被告知要设置它,所以我对 FluentBit 知之甚少,但我假设这个“发行者”提供了一个具有所需权限的身份。例如,奥克塔?我们使用 Okta,那么我会在这里使用什么作为值?

cluster_identity_oidc_issuer_arn - 不知道这个值应该是什么。

worker_iam_role_name - 就像具有自动缩放功能的角色 (oidc)?

这就是 eks.tf 的样子:

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  cluster_name                    = "DevOpsLabs"
  cluster_version                 = "1.19"
  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  cluster_addons = {
    coredns = {
      resolve_conflicts = "OVERWRITE"
    }
    kube-proxy = {}
    vpc-cni = {
      resolve_conflicts = "OVERWRITE"
    }
  }

  vpc_id     = "xxx"
  subnet_ids = ["xxx","xxx", "xxx", "xxx"  ]


  self_managed_node_groups = {
    bottlerocket = {
      name = "bottlerocket-self-mng"

      platform      = "bottlerocket"
      ami_id        = "xxx"
      instance_type = "t2.small"
      desired_size  = 2

      iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]

      pre_bootstrap_user_data = <<-EOT
      echo "foo"
      export FOO=bar
      EOT

      bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"

      post_bootstrap_user_data = <<-EOT
      cd /tmp
      sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
      sudo systemctl enable amazon-ssm-agent
      sudo systemctl start amazon-ssm-agent
      EOT
    }
  }
}

对于role.tf:

data "aws_iam_policy_document" "cluster_autoscaler" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:DescribeAutoScalingInstances",
      "autoscaling:DescribeLaunchConfigurations",
      "autoscaling:DescribeTags",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup",
      "ec2:DescribeLaunchTemplateVersions",
    ]

    resources = ["*"]
  }
}

module "config" {
  source  = "github.com/ahmad-hamade/terraform-eks-config/modules/eks-iam-role-with-oidc"
  cluster_name     = module.eks.cluster_id
  role_name        = "cluster-autoscaler"
  service_accounts = ["kube-system/cluster-autoscaler"]
  policies         = [data.aws_iam_policy_document.cluster_autoscaler.json]

  tags = {
    Terraform = "true"
    Environment = "dev-test"
  }
}

由于您使用的是 Terraform EKS 模块,因此您可以通过查看 Outputs 选项卡 [1] 来访问所创建资源的属性。在那里你可以找到以下输出:

  • cluster_id
  • cluster_oidc_issuer_url
  • oidc_provider_arn

可以使用以下语法访问它们:

module.<module_name>.<output_id>

在您的情况下,您将使用以下语法获得所需的值:

  • cluster_id -> module.eks.cluster_id
  • cluster_oidc_issuer_url -> module.eks.cluster_oidc_issuer_url
  • oidc_provider_arn -> module.eks.oidc_provider_arn

并将它们分配给 FluentBit 模块的输入:

  cluster_name                     = module.eks.cluster_id
  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn

对于 worker 角色,我没有看到 eks 模块的输出,所以我认为这可能是 config 模块的输出 [2]:

worker_iam_role_name = module.config.iam_role_name

配置的 OIDC 部分来自 EKS 集群 [3]。另一个博客 post 可以在此处找到详细信息 [4]。


[1] https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest?tab=outputs

[2]https://github.com/ahmad-hamade/terraform-eks-config/blob/master/modules/eks-iam-role-with-oidc/outputs.tf

[3] https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

[4]https://aws.amazon.com/blogs/containers/introducing-oidc-identity-provider-authentication-amazon-eks/