apiVersion: v1 kind: ServiceAccount metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail spec: allowPrivilegeEscalation: false fsGroup: rule: RunAsAny hostIPC: false hostNetwork: false hostPID: false privileged: false readOnlyRootFilesystem: true requiredDropCapabilities: - ALL runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - secret - configMap - hostPath - projected - downwardAPI - emptyDir --- apiVersion: v1 kind: ConfigMap metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail data: promtail.yaml: | client: backoff_config: max_period: 5m max_retries: 10 min_period: 500ms batchsize: 1048576 batchwait: 1s external_labels: {} timeout: 10s positions: filename: /run/promtail/positions.yaml server: http_listen_port: 3101 clients: - url: http://loki.proxy-civo.svc:80/loki/api/v1/push external_labels: kubernetes_cluster: civo target_config: sync_period: 10s scrape_configs: - job_name: kubernetes-pods pipeline_stages: - docker: {} - cri: {} - match: selector: '{app="weave-net"}' action: drop - match: selector: '{filename=~".*konnectivity.*"}' action: drop - match: selector: '{name=~".*"} |~ ".*/healthz.*"' action: drop - match: selector: '{name=~".*"} |~ ".*/api/health.*"' action: drop - match: selector: '{name=~".*"} |~ ".*kube-probe/.*"' action: drop - match: selector: '{app="internal-proxy"}' action: drop - match: selector: '{app="non-auth-proxy"}' action: drop - match: selector: '{app="vpa"}' action: drop - match: selector: '{app="promtail"}' action: drop - match: selector: '{app="csi-node"}' action: drop - match: selector: '{app="victoria-metrics"}' action: drop - match: selector: '{app="git-sync"}' action: drop - match: selector: '{app="ingress-nginx"}' stages: - json: expressions: request_host: host request_path: path request_method: method response_status: status - drop: source: "request_path" value: "/healthz" - drop: source: "request_path" value: "/health" - labels: request_host: request_method: response_status: - match: selector: '{app="traefik"}' stages: - json: expressions: request_host: RequestHost request_path: RequestPath request_method: RequestMethod response_status: OriginStatus - drop: source: "request_path" value: "/healthz" - drop: source: "request_path" value: "/health" - drop: source: "request_path" value: "/ping" - labels: request_host: request_method: response_status: kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: - __meta_kubernetes_pod_controller_name regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? action: replace target_label: __tmp_controller_name - source_labels: - __meta_kubernetes_pod_label_app_kubernetes_io_name - __meta_kubernetes_pod_label_app - __tmp_controller_name - __meta_kubernetes_pod_name regex: ^;*([^;]+)(;.*)?$ action: replace target_label: app - source_labels: - __meta_kubernetes_pod_label_app_kubernetes_io_component - __meta_kubernetes_pod_label_component regex: ^;*([^;]+)(;.*)?$ action: replace target_label: component - action: replace source_labels: - __meta_kubernetes_pod_node_name target_label: node_name - action: replace source_labels: - __meta_kubernetes_namespace target_label: namespace - action: replace replacement: $1 separator: / source_labels: - namespace - app target_label: job - action: replace source_labels: - __meta_kubernetes_pod_name target_label: pod - action: replace source_labels: - __meta_kubernetes_pod_container_name target_label: container - action: replace replacement: /var/log/pods/*$1/*.log separator: / source_labels: - __meta_kubernetes_pod_uid - __meta_kubernetes_pod_container_name target_label: __path__ - action: replace replacement: /var/log/pods/*$1/*.log regex: true/(.*) separator: / source_labels: - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash - __meta_kubernetes_pod_container_name target_label: __path__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: promtail-clusterrole labels: app.kubernetes.io/name: promtail rules: - apiGroups: [""] # "" indicates the core API group resources: - nodes - nodes/proxy - services - endpoints - pods verbs: ["get", "watch", "list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: promtail-clusterrolebinding labels: app.kubernetes.io/name: promtail subjects: - kind: ServiceAccount name: promtail namespace: monitoring roleRef: kind: ClusterRole name: promtail-clusterrole apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [promtail] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: promtail subjects: - kind: ServiceAccount name: promtail --- apiVersion: apps/v1 kind: DaemonSet metadata: name: promtail namespace: monitoring labels: app.kubernetes.io/name: promtail annotations: configmap.reloader.stakater.com/reload: "promtail" spec: selector: matchLabels: app.kubernetes.io/name: promtail template: metadata: labels: app.kubernetes.io/name: promtail annotations: prometheus.io/port: http-metrics prometheus.io/scrape: "true" spec: serviceAccountName: promtail containers: - name: promtail image: "grafana/promtail:2.6.1" imagePullPolicy: IfNotPresent args: - "-config.file=/etc/promtail/promtail.yaml" volumeMounts: - name: config mountPath: /etc/promtail - name: run mountPath: /run/promtail - mountPath: /var/lib/docker/containers name: docker readOnly: true - mountPath: /var/log/pods name: pods readOnly: true env: - name: HOSTNAME valueFrom: fieldRef: fieldPath: spec.nodeName ports: - containerPort: 3101 name: http-metrics securityContext: readOnlyRootFilesystem: true runAsGroup: 0 runAsUser: 0 readinessProbe: failureThreshold: 5 httpGet: path: /ready port: http-metrics initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists volumes: - name: config configMap: name: promtail - name: run hostPath: path: /run/promtail - hostPath: path: /var/lib/docker/containers name: docker - hostPath: path: /var/log/pods name: pods ---