FluentBit 设置
FluentBit setup
我正在尝试通过 this 模块在 Terraform 中为我的 EKS 集群设置 FluentBit,我有几个问题:
cluster_identity_oidc_issuer - 这是什么?坦率地说,我只是被告知要设置它,所以我对 FluentBit 知之甚少,但我假设这个“发行者”提供了一个具有所需权限的身份。例如,奥克塔?我们使用 Okta,那么我会在这里使用什么作为值?
cluster_identity_oidc_issuer_arn - 不知道这个值应该是什么。
worker_iam_role_name - 就像具有自动缩放功能的角色 (oidc)?
这就是 eks.tf 的样子:
module "eks" {
source = "terraform-aws-modules/eks/aws"
cluster_name = "DevOpsLabs"
cluster_version = "1.19"
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
cluster_addons = {
coredns = {
resolve_conflicts = "OVERWRITE"
}
kube-proxy = {}
vpc-cni = {
resolve_conflicts = "OVERWRITE"
}
}
vpc_id = "xxx"
subnet_ids = ["xxx","xxx", "xxx", "xxx" ]
self_managed_node_groups = {
bottlerocket = {
name = "bottlerocket-self-mng"
platform = "bottlerocket"
ami_id = "xxx"
instance_type = "t2.small"
desired_size = 2
iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
pre_bootstrap_user_data = <<-EOT
echo "foo"
export FOO=bar
EOT
bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"
post_bootstrap_user_data = <<-EOT
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
EOT
}
}
}
对于role.tf:
data "aws_iam_policy_document" "cluster_autoscaler" {
statement {
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions",
]
resources = ["*"]
}
}
module "config" {
source = "github.com/ahmad-hamade/terraform-eks-config/modules/eks-iam-role-with-oidc"
cluster_name = module.eks.cluster_id
role_name = "cluster-autoscaler"
service_accounts = ["kube-system/cluster-autoscaler"]
policies = [data.aws_iam_policy_document.cluster_autoscaler.json]
tags = {
Terraform = "true"
Environment = "dev-test"
}
}
由于您使用的是 Terraform EKS 模块,因此您可以通过查看 Outputs 选项卡 [1] 来访问所创建资源的属性。在那里你可以找到以下输出:
cluster_idcluster_oidc_issuer_urloidc_provider_arn
可以使用以下语法访问它们:
module.<module_name>.<output_id>
在您的情况下,您将使用以下语法获得所需的值:
cluster_id -> module.eks.cluster_idcluster_oidc_issuer_url -> module.eks.cluster_oidc_issuer_urloidc_provider_arn -> module.eks.oidc_provider_arn
并将它们分配给 FluentBit 模块的输入:
cluster_name = module.eks.cluster_id
cluster_identity_oidc_issuer = module.eks.cluster_oidc_issuer_url
cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
对于 worker 角色,我没有看到 eks 模块的输出,所以我认为这可能是 config 模块的输出 [2]:
worker_iam_role_name = module.config.iam_role_name
配置的 OIDC 部分来自 EKS 集群 [3]。另一个博客 post 可以在此处找到详细信息 [4]。
[1] https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest?tab=outputs
[3] https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
我正在尝试通过 this 模块在 Terraform 中为我的 EKS 集群设置 FluentBit,我有几个问题:
cluster_identity_oidc_issuer - 这是什么?坦率地说,我只是被告知要设置它,所以我对 FluentBit 知之甚少,但我假设这个“发行者”提供了一个具有所需权限的身份。例如,奥克塔?我们使用 Okta,那么我会在这里使用什么作为值?
cluster_identity_oidc_issuer_arn - 不知道这个值应该是什么。
worker_iam_role_name - 就像具有自动缩放功能的角色 (oidc)?
这就是 eks.tf 的样子:
module "eks" {
source = "terraform-aws-modules/eks/aws"
cluster_name = "DevOpsLabs"
cluster_version = "1.19"
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
cluster_addons = {
coredns = {
resolve_conflicts = "OVERWRITE"
}
kube-proxy = {}
vpc-cni = {
resolve_conflicts = "OVERWRITE"
}
}
vpc_id = "xxx"
subnet_ids = ["xxx","xxx", "xxx", "xxx" ]
self_managed_node_groups = {
bottlerocket = {
name = "bottlerocket-self-mng"
platform = "bottlerocket"
ami_id = "xxx"
instance_type = "t2.small"
desired_size = 2
iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
pre_bootstrap_user_data = <<-EOT
echo "foo"
export FOO=bar
EOT
bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"
post_bootstrap_user_data = <<-EOT
cd /tmp
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
EOT
}
}
}
对于role.tf:
data "aws_iam_policy_document" "cluster_autoscaler" {
statement {
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions",
]
resources = ["*"]
}
}
module "config" {
source = "github.com/ahmad-hamade/terraform-eks-config/modules/eks-iam-role-with-oidc"
cluster_name = module.eks.cluster_id
role_name = "cluster-autoscaler"
service_accounts = ["kube-system/cluster-autoscaler"]
policies = [data.aws_iam_policy_document.cluster_autoscaler.json]
tags = {
Terraform = "true"
Environment = "dev-test"
}
}
由于您使用的是 Terraform EKS 模块,因此您可以通过查看 Outputs 选项卡 [1] 来访问所创建资源的属性。在那里你可以找到以下输出:
cluster_idcluster_oidc_issuer_urloidc_provider_arn
可以使用以下语法访问它们:
module.<module_name>.<output_id>
在您的情况下,您将使用以下语法获得所需的值:
cluster_id->module.eks.cluster_idcluster_oidc_issuer_url->module.eks.cluster_oidc_issuer_urloidc_provider_arn->module.eks.oidc_provider_arn
并将它们分配给 FluentBit 模块的输入:
cluster_name = module.eks.cluster_id
cluster_identity_oidc_issuer = module.eks.cluster_oidc_issuer_url
cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
对于 worker 角色,我没有看到 eks 模块的输出,所以我认为这可能是 config 模块的输出 [2]:
worker_iam_role_name = module.config.iam_role_name
配置的 OIDC 部分来自 EKS 集群 [3]。另一个博客 post 可以在此处找到详细信息 [4]。
[1] https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest?tab=outputs
[3] https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html