This is a utility container to ship logs from Kubernetes into an ELK stack. SQuaRE currently uses it to send logs from GKE to the ELK stack at NCSA.

First, add the secrets you will need to connect to the Logstash implementation at the far end. Copy kubernetes/filebeat-secrets.template.yaml to a scratch file, and include the base64 encodings of the CA certificate and your local TLS certificate and key, as well as the logstash host name, logstash port, shipper name (which should identify the site, e.g. "gke"), and debug (anything but the empty string turns on debug mode). Then run kubectl create -f on that file, and then remove the file.

Then all you need to do is to create "filebeat" as a DaemonSet: kubectl create -f kubernetes/filebeat-daemonset.yaml

A DaemonSet resource runs one copy of the provided container on each node in the Kubernetes cluster. The container mounts the Docker container logs into its own space, and then filebeat watches the container logs for changes and ships them off to Logstash.

We have an input filter defined so we log neither internal health checks from the kube-system namespace (i.e. anything that comes up as a result of nanny_lib.go) nor the GKE ingress healthcheck (GET / ).

Thus, you don't have to do anything special in your container: log to stdout/stderr as usual, and whatever is produced by the container will wind up at the destination logstash instance.

We should at least put the proper endpoint into the destination host SSL certificate so we can turn ssl.verification_mode back on. Since GKE has no defined egress, we can't really do client certificate verification.