-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(eks): control plane logs #8497
Changes from all commits
e38402e
71f59a1
494330f
e82e8a6
8b582d3
e8bf3aa
83f0cb4
72226b0
f777ef4
0ec6571
e37d673
a250704
b15bdea
8c79e70
8628281
d84610e
bad1672
b4cdc58
3e53574
e799afb
438e3d5
a609ab9
5c70951
86af207
d538205
876a012
da23fc4
4d65eb3
abb5780
53d647f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -11,6 +11,7 @@ import { HelmChart, HelmChartOptions } from './helm-chart'; | |||
import { KubernetesPatch } from './k8s-patch'; | ||||
import { KubernetesResource } from './k8s-resource'; | ||||
import { KubectlProvider } from './kubectl-provider'; | ||||
import { ControlPlaneLogging } from './logging'; | ||||
import { Nodegroup, NodegroupOptions } from './managed-nodegroup'; | ||||
import { ServiceAccount, ServiceAccountOptions } from './service-account'; | ||||
import { LifecycleLabel, renderAmazonLinuxUserData, renderBottlerocketUserData } from './user-data'; | ||||
|
@@ -244,6 +245,21 @@ export interface ClusterProps extends ClusterOptions { | |||
*/ | ||||
readonly kubectlEnabled?: boolean; | ||||
|
||||
/** | ||||
* Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. | ||||
* | ||||
* @default false Cluster control plane logs are not exported to CloudWatch Logs. | ||||
*/ | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What happens if I enabled logs and then set to undefined (remove it). Would it set all the logging to false? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it will send an empty value for logging in the call to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Have you tested this? My intuition is that if I send an I suspect that we may either need to always send the two enabled/disable lists or add heuristics to the UPDATE handler to calculate the "diff" from the previous value and produce an appropriate update. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i will try this out and let you know, but this diff is being done in the runtime code here:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This only determines that there was a change, not which log types should now be enabled/disabled based on that change. For example, say, "oldProps" included two enabled types (say LMK if this makes sense. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i believe we will need to send the whole configuration explicitly, including the disabled one. i am getting the following error when sending the exact same configuration to
|
||||
readonly controlPlaneLogging?: boolean; | ||||
|
||||
/** | ||||
* EKS control plane logging options. | ||||
* | ||||
* @default - none | ||||
* @see https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html | ||||
*/ | ||||
readonly controlPlaneLoggingOptions?: ControlPlaneLogging; | ||||
|
||||
/** | ||||
* Number of instances to allocate as an initial capacity for this cluster. | ||||
* Instance type can be configured through `defaultCapacityInstanceType`, | ||||
|
@@ -349,6 +365,11 @@ export class Cluster extends Resource implements ICluster { | |||
*/ | ||||
public readonly kubectlEnabled: boolean; | ||||
|
||||
/** | ||||
* The Control Plane logging configuration for your cluster. | ||||
*/ | ||||
public readonly controlPlaneLogging?: ControlPlaneLogging; | ||||
|
||||
/** | ||||
* The auto scaling group that hosts the default capacity for this cluster. | ||||
* This will be `undefined` if the `defaultCapacityType` is not `EC2` or | ||||
|
@@ -441,9 +462,33 @@ export class Cluster extends Resource implements ICluster { | |||
let resource; | ||||
this.kubectlEnabled = props.kubectlEnabled === undefined ? true : props.kubectlEnabled; | ||||
if (this.kubectlEnabled) { | ||||
resource = new ClusterResource(this, 'Resource', clusterProps); | ||||
let logging: undefined | ControlPlaneLogging; | ||||
if (props.controlPlaneLogging === true && !props.controlPlaneLoggingOptions) { | ||||
logging = { | ||||
api: true, | ||||
audit: true, | ||||
authenticator: true, | ||||
controllerManager: true, | ||||
scheduler: true, | ||||
}; | ||||
} else if (Object.keys(props.controlPlaneLoggingOptions || {}).length > 0) { | ||||
if (props.controlPlaneLogging === false) { | ||||
throw new Error('Cannot configure control plane logging if "controlPlaneLogging" is false'); | ||||
} | ||||
logging = props.controlPlaneLoggingOptions; | ||||
} | ||||
this.controlPlaneLogging = logging; | ||||
resource = new ClusterResource(this, 'Resource', { | ||||
...clusterProps, | ||||
logging, | ||||
}); | ||||
this._clusterResource = resource; | ||||
} else { | ||||
if (props.controlPlaneLogging || props.controlPlaneLoggingOptions) { | ||||
throw new Error('Cannot configure control plane logging if kubectl is disabled'); | ||||
} else { | ||||
this.controlPlaneLogging = undefined; | ||||
} | ||||
resource = new CfnCluster(this, 'Resource', clusterProps); | ||||
} | ||||
|
||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/** | ||
* EKS cluster control plane logging configuration | ||
*/ | ||
export interface ControlPlaneLogging { | ||
/** | ||
* Kubernetes API server component logs – Your cluster's API server is the | ||
* control plane component that exposes the Kubernetes API. | ||
* | ||
* @default false | ||
* @see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ | ||
*/ | ||
readonly api?: boolean; | ||
|
||
/** | ||
* Audit (audit) – Kubernetes audit logs provide a record of the individual | ||
* users, administrators, or system components that have affected your cluster. | ||
* | ||
* @default false | ||
* @see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ | ||
*/ | ||
readonly audit?: boolean; | ||
|
||
/** | ||
* Authenticator – Authenticator logs are unique to Amazon EKS. These logs | ||
* represent the control plane component that Amazon EKS uses for Kubernetes | ||
* Role Based Access Control (RBAC) authentication using IAM credentials. | ||
* | ||
* @default false | ||
* @see https://kubernetes.io/docs/admin/authorization/rbac/ | ||
*/ | ||
readonly authenticator?: boolean; | ||
|
||
/** | ||
* Controller manager – The controller manager manages the core control | ||
* loops that are shipped with Kubernetes. | ||
* | ||
* @default false | ||
* @see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ | ||
*/ | ||
readonly controllerManager?: boolean; | ||
|
||
/** | ||
* Scheduler – The scheduler component manages when and where to run | ||
* pods in your cluster. | ||
* | ||
* @default false | ||
* @see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/ | ||
*/ | ||
readonly scheduler?: boolean; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is actually needed because the provide framework is not be handling it anymore