diff --git a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml index 5f7a7d864..237c79fc9 100644 --- a/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml +++ b/charts/azuremonitor-containerinsights-for-prod-clusters/templates/ama-logs.yaml @@ -80,7 +80,7 @@ metadata: {{- end }} rules: - apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "namespaces", "services", "persistentvolumes"] verbs: ["list", "get", "watch"] - apiGroups: ["apps", "extensions", "autoscaling"] resources: ["replicasets", "deployments", "horizontalpodautoscalers"] diff --git a/charts/azuremonitor-containers/templates/ama-logs-rbac.yaml b/charts/azuremonitor-containers/templates/ama-logs-rbac.yaml index 89847d7f2..802007658 100644 --- a/charts/azuremonitor-containers/templates/ama-logs-rbac.yaml +++ b/charts/azuremonitor-containers/templates/ama-logs-rbac.yaml @@ -23,7 +23,7 @@ metadata: heritage: {{ .Release.Service }} rules: - apiGroups: [""] - resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "nodes/proxy", "namespaces", "services", "persistentvolumes"] + resources: ["pods", "events", "nodes", "nodes/stats", "nodes/metrics", "nodes/spec", "namespaces", "services", "persistentvolumes"] verbs: ["list", "get", "watch"] - apiGroups: ["apps", "extensions", "autoscaling"] resources: ["replicasets", "deployments", "horizontalpodautoscalers"] diff --git a/kubernetes/ama-logs.yaml b/kubernetes/ama-logs.yaml index 66906092f..f7d394a09 100644 --- a/kubernetes/ama-logs.yaml +++ b/kubernetes/ama-logs.yaml @@ -18,10 +18,9 @@ rules: "nodes/stats", "nodes/metrics", "nodes/spec", - "nodes/proxy", "namespaces", "services", - "persistentvolumes" + "persistentvolumes", ] verbs: ["list", "get", "watch"] - apiGroups: ["apps", "extensions", "autoscaling"] @@ -530,7 +529,7 @@ spec: initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 15 -#Only in sidecar scraping mode + #Only in sidecar scraping mode - name: ama-logs-prometheus image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.34" imagePullPolicy: IfNotPresent @@ -624,16 +623,16 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - # kubernetes.io/os label doesnt exist in k8s versions < 1.14 so make sure to choose label based on k8s version in aks yaml - - key: kubernetes.io/os - operator: In - values: - - linux - - key: type - operator: NotIn - values: - - virtual-kubelet + - matchExpressions: + # kubernetes.io/os label doesnt exist in k8s versions < 1.14 so make sure to choose label based on k8s version in aks yaml + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet # Tolerate a NoSchedule taint on master that ACS Engine sets. tolerations: - operator: "Exists" @@ -646,20 +645,20 @@ spec: - name: kube-api-access projected: sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: mdsd-prometheus-sock emptyDir: {} - name: host-root @@ -1156,29 +1155,29 @@ spec: nodeAffinity: # affinity to schedule on to ephemeral os node if its available preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: storageprofile - operator: NotIn - values: - - managed + - weight: 1 + preference: + matchExpressions: + - key: storageprofile + operator: NotIn + values: + - managed requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - key: type - operator: NotIn - values: - - virtual-kubelet - # The following label selector is removed for AKS, this is only required for non AKS - - key: kubernetes.io/role - operator: NotIn - values: - - master + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: type + operator: NotIn + values: + - virtual-kubelet + # The following label selector is removed for AKS, this is only required for non AKS + - key: kubernetes.io/role + operator: NotIn + values: + - master # The following tolerations are removed for AKS, this is only required for non AKS tolerations: - operator: "Exists" @@ -1191,20 +1190,20 @@ spec: - name: kube-api-access projected: sources: - - serviceAccountToken: - path: token - expirationSeconds: 3600 - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace - name: container-hostname hostPath: path: /etc/hostname @@ -1238,22 +1237,22 @@ spec: # name: ama-logs-rs-vpa-config # optional: true --- - apiVersion: apps/v1 - kind: DaemonSet - metadata: - name: ama-logs-windows - namespace: kube-system - labels: +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ama-logs-windows + namespace: kube-system + labels: component: ama-logs-agent-windows tier: node-win - spec: - updateStrategy: +spec: + updateStrategy: type: RollingUpdate - selector: + selector: matchLabels: component: ama-logs-agent-windows tier: node-win - template: + template: metadata: labels: component: ama-logs-agent-windows @@ -1264,214 +1263,214 @@ spec: schema-versions: "v1" kubernetes.azure.com/no-http-proxy-vars: "true" spec: - serviceAccountName: ama-logs - dnsConfig: + serviceAccountName: ama-logs + dnsConfig: options: - name: ndots value: "3" - containers: - # Uncomment below lines for MSI Auth Mode testing - # - name: addon-token-adapter-win - # command: - # - addon-token-adapter-win - # args: - # - --secret-namespace=kube-system - # - --secret-name=aad-msi-auth-token - # - --token-server-listening-port=7777 - # - --health-server-listening-port=9999 - # image: "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250604.1" - # imagePullPolicy: Always - # livenessProbe: - # httpGet: - # path: /healthz - # port: 9999 - # initialDelaySeconds: 10 - # periodSeconds: 60 - # resources: - # limits: - # memory: 500Mi - # requests: - # cpu: 100m - # memory: 100Mi - # securityContext: - # capabilities: - # add: - # - NET_ADMIN - - name: ama-logs-windows - image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:win-3.1.34" - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 500m - memory: 700Mi - limits: - cpu: 2 - memory: 2Gi - securityContext: - capabilities: - drop: - - ALL - add: - - DAC_OVERRIDE - env: - - name: CONTAINER_MEMORY_LIMIT_IN_BYTES - valueFrom: - resourceFieldRef: - containerName: ama-logs-windows - resource: limits.memory - - name: FBIT_SERVICE_FLUSH_INTERVAL - value: "15" - - name: FBIT_TAIL_BUFFER_CHUNK_SIZE - value: "1" - - name: FBIT_TAIL_BUFFER_MAX_SIZE - value: "1" - # azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these - - name: AKS_RESOURCE_ID - value: "VALUE_AKS_RESOURCE_ID_VALUE" - - name: AKS_REGION - value: "VALUE_AKS_RESOURCE_REGION_VALUE" - #- name: ACS_RESOURCE_NAME - # value: "my_acs_cluster_name" - - name: CONTROLLER_TYPE - value: "DaemonSet" - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PODNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NODE_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: SIDECAR_SCRAPING_ENABLED - value: "true" - # Add this only for clouds that require cert bootstrapping - # - name: REQUIRES_CERT_BOOTSTRAP - # value: "true" - # Uncomment below lines for MSI Auth Mode testing - # - name: USING_AAD_MSI_AUTH - # value: "true" - - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED - value: "false" - - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED - value: "false" - - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED - value: "false" - - name: APPMONITORING_OPENTELEMETRYLOGS_PORT - value: "28331" - - name: CLUSTER_CLOUD_ENVIRONMENT - value: "azurepubliccloud" # Change this to the cloud environment of your cluster - volumeMounts: - # Uncomment below lines when telegraf upgraded to 1.28.5 or higher - # - name: kube-api-access - # mountPath: /var/run/secrets/kubernetes.io/serviceaccount - # readOnly: true - - mountPath: C:\ProgramData\docker\containers - name: docker-windows-containers - readOnly: true - - mountPath: C:\var #Read + Write access on this for position file - name: docker-windows-kuberenetes-container-logs - - mountPath: C:\etc\config\settings - name: settings-vol-config - readOnly: true - - mountPath: C:\etc\ama-logs-secret - name: ama-logs-secret - readOnly: true - - mountPath: C:\etc\config\adx - name: ama-logs-adx-secret - readOnly: true - # Need to mount this only for airgapped clouds - Commenting this since it wont exist in non airgapped clouds - # - mountPath: C:\ca - # name: ca-certs - # readOnly: true - - mountPath: C:\etc\kubernetes\host - name: azure-json-path - readOnly: true - # Uncomment below lines for MSI Auth Mode testing - # - mountPath: C:\etc\IMDS-access-token - # name: imds-token - # readOnly: true - livenessProbe: - exec: - command: - - cmd - - /c - - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe - - fluent-bit.exe - - fluentdwinaks - - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" - - "C:\\etc\\amalogswindows\\renewcertificate.txt" - # Uncomment below lines for MSI Auth Mode testing - # - MonAgentCore.exe - periodSeconds: 60 - initialDelaySeconds: 180 - timeoutSeconds: 15 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - windows - tolerations: - - key: "CriticalAddonsOnly" - operator: "Exists" - - operator: "Exists" - effect: NoExecute - - operator: "Exists" - effect: NoSchedule - - operator: "Exists" - effect: PreferNoSchedule - volumes: - # Uncomment below lines when telegraf upgraded to 1.28.5 or higher - # - name: kube-api-access - # projected: - # sources: - # - serviceAccountToken: - # path: token - # expirationSeconds: 3600 - # - configMap: - # items: - # - key: ca.crt - # path: ca.crt - # name: kube-root-ca.crt - # - downwardAPI: - # items: - # - fieldRef: - # apiVersion: v1 - # fieldPath: metadata.namespace - # path: namespace - - name: docker-windows-kuberenetes-container-logs - hostPath: - path: C:\var - - name: azure-json-path - hostPath: - path: C:\k - # Need to mount this only for airgapped clouds - Commenting this since it wont exist in non airgapped clouds - #- name: ca-certs - # hostPath: - # path: C:\ca - - name: docker-windows-containers - hostPath: - path: C:\ProgramData\docker\containers - type: DirectoryOrCreate - - name: settings-vol-config - configMap: - name: container-azm-ms-agentconfig - optional: true - - name: ama-logs-secret - secret: - secretName: ama-logs-secret - - name: ama-logs-adx-secret - secret: - secretName: ama-logs-adx-secret - optional: true - # Uncomment below lines for MSI Auth Mode testing - # - name: imds-token - # secret: - # secretName: aad-msi-auth-token + containers: + # Uncomment below lines for MSI Auth Mode testing + # - name: addon-token-adapter-win + # command: + # - addon-token-adapter-win + # args: + # - --secret-namespace=kube-system + # - --secret-name=aad-msi-auth-token + # - --token-server-listening-port=7777 + # - --health-server-listening-port=9999 + # image: "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250604.1" + # imagePullPolicy: Always + # livenessProbe: + # httpGet: + # path: /healthz + # port: 9999 + # initialDelaySeconds: 10 + # periodSeconds: 60 + # resources: + # limits: + # memory: 500Mi + # requests: + # cpu: 100m + # memory: 100Mi + # securityContext: + # capabilities: + # add: + # - NET_ADMIN + - name: ama-logs-windows + image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:win-3.1.34" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 500m + memory: 700Mi + limits: + cpu: 2 + memory: 2Gi + securityContext: + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE + env: + - name: CONTAINER_MEMORY_LIMIT_IN_BYTES + valueFrom: + resourceFieldRef: + containerName: ama-logs-windows + resource: limits.memory + - name: FBIT_SERVICE_FLUSH_INTERVAL + value: "15" + - name: FBIT_TAIL_BUFFER_CHUNK_SIZE + value: "1" + - name: FBIT_TAIL_BUFFER_MAX_SIZE + value: "1" + # azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these + - name: AKS_RESOURCE_ID + value: "VALUE_AKS_RESOURCE_ID_VALUE" + - name: AKS_REGION + value: "VALUE_AKS_RESOURCE_REGION_VALUE" + #- name: ACS_RESOURCE_NAME + # value: "my_acs_cluster_name" + - name: CONTROLLER_TYPE + value: "DaemonSet" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PODNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: SIDECAR_SCRAPING_ENABLED + value: "true" + # Add this only for clouds that require cert bootstrapping + # - name: REQUIRES_CERT_BOOTSTRAP + # value: "true" + # Uncomment below lines for MSI Auth Mode testing + # - name: USING_AAD_MSI_AUTH + # value: "true" + - name: AZMON_WINDOWS_FLUENT_BIT_ENABLED + value: "false" + - name: APPMONITORING_AUTOINSTRUMENTATION_ENABLED + value: "false" + - name: APPMONITORING_OPENTELEMETRYLOGS_ENABLED + value: "false" + - name: APPMONITORING_OPENTELEMETRYLOGS_PORT + value: "28331" + - name: CLUSTER_CLOUD_ENVIRONMENT + value: "azurepubliccloud" # Change this to the cloud environment of your cluster + volumeMounts: + # Uncomment below lines when telegraf upgraded to 1.28.5 or higher + # - name: kube-api-access + # mountPath: /var/run/secrets/kubernetes.io/serviceaccount + # readOnly: true + - mountPath: C:\ProgramData\docker\containers + name: docker-windows-containers + readOnly: true + - mountPath: C:\var #Read + Write access on this for position file + name: docker-windows-kuberenetes-container-logs + - mountPath: C:\etc\config\settings + name: settings-vol-config + readOnly: true + - mountPath: C:\etc\ama-logs-secret + name: ama-logs-secret + readOnly: true + - mountPath: C:\etc\config\adx + name: ama-logs-adx-secret + readOnly: true + # Need to mount this only for airgapped clouds - Commenting this since it wont exist in non airgapped clouds + # - mountPath: C:\ca + # name: ca-certs + # readOnly: true + - mountPath: C:\etc\kubernetes\host + name: azure-json-path + readOnly: true + # Uncomment below lines for MSI Auth Mode testing + # - mountPath: C:\etc\IMDS-access-token + # name: imds-token + # readOnly: true + livenessProbe: + exec: + command: + - cmd + - /c + - C:\opt\amalogswindows\scripts\cmd\livenessprobe.exe + - fluent-bit.exe + - fluentdwinaks + - "C:\\etc\\amalogswindows\\filesystemwatcher.txt" + - "C:\\etc\\amalogswindows\\renewcertificate.txt" + # Uncomment below lines for MSI Auth Mode testing + # - MonAgentCore.exe + periodSeconds: 60 + initialDelaySeconds: 180 + timeoutSeconds: 15 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - windows + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + - operator: "Exists" + effect: PreferNoSchedule + volumes: + # Uncomment below lines when telegraf upgraded to 1.28.5 or higher + # - name: kube-api-access + # projected: + # sources: + # - serviceAccountToken: + # path: token + # expirationSeconds: 3600 + # - configMap: + # items: + # - key: ca.crt + # path: ca.crt + # name: kube-root-ca.crt + # - downwardAPI: + # items: + # - fieldRef: + # apiVersion: v1 + # fieldPath: metadata.namespace + # path: namespace + - name: docker-windows-kuberenetes-container-logs + hostPath: + path: C:\var + - name: azure-json-path + hostPath: + path: C:\k + # Need to mount this only for airgapped clouds - Commenting this since it wont exist in non airgapped clouds + #- name: ca-certs + # hostPath: + # path: C:\ca + - name: docker-windows-containers + hostPath: + path: C:\ProgramData\docker\containers + type: DirectoryOrCreate + - name: settings-vol-config + configMap: + name: container-azm-ms-agentconfig + optional: true + - name: ama-logs-secret + secret: + secretName: ama-logs-secret + - name: ama-logs-adx-secret + secret: + secretName: ama-logs-adx-secret + optional: true + # Uncomment below lines for MSI Auth Mode testing + # - name: imds-token + # secret: + # secretName: aad-msi-auth-token