New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FluentBit Sidecar Injection #1048
Comments
It's not on the roadmap yet. But Fluent operator maintainers are open to seeing proposals and contributions for this feature. @AlessandroFazio |
Hello @benjaminhuo , I'm glad to see you open to a proposal. I have taken some time to come up with the more formal feature request which follows. FluentBit Sidecar Feature Request Disclosure Before proceeding with the technical content, I would like to stress 2 points:
Introduction This feature request aims at adding the ability for FluentOperator users to inject FluentBit as a sidecar container in pods. This container should in some way featch log events produced by main application container and forward them to some destination. It could be FluentD and in this way leverage the FluentD CR provided by the operator or some other destionation. For fetching log events I proposed here to use an emptyDir volume, where the app writes and the FluentBit reads. In the General Considerations section below I explained the reason behind this choice. This solution requires making the manager to bootstrap a new Webhook Server (which is not already bootstrapped in the operator codebase for what I have seen) serving at least a mutating admission webhook under some path, could be Configuration The mutating webhook could be configured using a ConfigMap added as part of the manifests and mounted as a volume in the controller-manager container. The user should opt in for the sidecar injector, i.e the feature would be disabled by default. The ConfigMap could like as the following: apiVersion: admissionregistration.k8s.io/v1
kind: ConfigMap
metadata:
name: fluent-sidecar-injector
...
data: |
enabled: true
fluentBitImage: kube-sphere/fluent-bit:tag
sidecarRequestsCPU: 100m
...
sidecarLimitsCPU: 300m
... Other webhook manifests like Deployment, Service, CertManager related manifests, etc… are skipped for the sake of brevity, but naturally required. The webhook configuration manifest could look something like this: apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
webhooks:
- name: fluent-sidecar.example.com
namespaceSelector:
matchLabels:
fluent.sidecar.io/enabled: true
rules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE"]
resources: ["pods"]
scope: "Namespaced"
... Sidecar Injection Logic The sidecar injection implementation follows the ‘Istio way’. You should label the namespace with Sidecar customization can be achieved either through:
Pod Metadata Annotations The following pod metadata.annotations[] let the user customize the sidecar injection execution logic. - Key: fluent.sidecar.io/inject
Value: bool
Desc: specify whether the webhook should inject the sidecar
- Key: fluent.sidecar.io/application-logs/path
Value: string
Desc: specify the path on app container directory where app logger appender will write log files
- Key: fluent.sidecar.io/position-db/volume
Value: bool
Desc: specify whether the webhook should inject the position-db volume
- Key: fluent.sidecar.io/applications-logs/volume-size-limit
Value: quantity
Desc: specify the application logs volume size limit
- Key: fluent.sidecar.io/sidecar/request-cpu
Value: quantity
Desc: specify the FluenBit sidecar container resource.requests.cpu
- Key: fluent.sidecar.io/sidecar/request-memory
Value: quantity
Desc: specify the FluenBit sidecar container resource.requests.memory
- Key: fluent.sidecar.io/sidecar/request-ephemeral-storage
Value: quantity
Desc: specify the FluenBit sidecar container resource.requests.ephemeral-storage
- Key: fluent.sidecar.io/sidecar/limit-cpu
Value: quantity
Desc: specify the FluenBit sidecar container resource.limit.cpu
- Key: fluent.sidecar.io/sidecar/limit-memory
Value: quantity
Desc: specify the FluenBit sidecar container resource.limit.memory
- Key: fluent.sidecar.io/sidecar/limit-ephemeral-storage
Value: quantity
Desc: specify the FluenBit sidecar container resource.limit.ephemeral-storage
- Key: fluent.sidecar.io/sidecar/image
Value: string
Desc: specify the FluenBit sidecar container image Partial Sidecar Configuration The user could include directly the fluent-bit sidecar container in the pod .spec.containers[]. apiVersion: apps/v1
kind: Pod
metadata:
name: example
spec:
containers:
# other containers #
name: fluent-bit
image: auto
... If this is done, the following will happen:
This customization option is found in Istio sidecar injection implementation and offers both flexibility and ease of implementation (either for users and us as developers) Reconcile Logic Here is described in short the webhook business logic:
General Considerations A natural decision is to leverage CRs already provided by the Fluent Operator, such as the configuration-related CRs. In both cases the FluentBit configuration secret will be mounted as a volume inside the FluentBit sidecar container. However, an issue can arise when the user deploys the operator but not the configuration CRs. To overcome this issue I have came across these 2 solutions:
As you can imagine they are not mutually exclusive, in the sense that the validation webhook can be useful at least to send warnings to the user. You may notice that, given this issue, it becomes even more important to give the user the ability to skip the injection using pod metadata annotations. For what concerns the emptyDir volume solution to store applications log files written by app and read by FluentBit, we actually came up with this solution at my company. To conclude, I haven't talked about kustomize or helm configuration. I know this is a really crucial topic, indeed if this sofware is not easy to install, it looses lot of its value. However, I preferred to discuss the business logic and related issues for now. If the discussion about this feature will progress, we will have the time for think about the deployment side of things. Well, this is the end for now. I know that this description is far from complete, but we have to start from something. Let me know what you think about it with some feedback. |
@AlessandroFazio I think the feature is overall useful, but from what I've seen, in k8s sidecar is only useful for logging when the application isn't writing logs to stdout and instead writes it to some file in the container. Questions or comments on your proposal:
|
Hello @adiforluls , I'm glad to see some feedbacks on this feature. To address the points you raised:
|
Is your feature request related to a problem? Please describe.
Hello! I work for a really big Italian Company in the Energy sector and we are creating a log pipeline solution using FluentBit as a sidecar container sending record to FluentD deployment pods. We are onboarding hundreds of microservices, so there is a lot of repetitive work to do right now.
Describe the solution you'd like
So, I'm wondering if a sidecar injector pattern ( the same you find in opentelemetry, envoy, ecc...) with a combination of pod metadata annotations and admission mutating webhook is something that are you considering to implement and if not why so?
Additional context
I've tried to find related issues but I didn't find anything. Yet, I don't know the fluent operator project codebase, so maybe what I am asking is not feasibile in the first place, but since this is a real world scenario we are facing, maybe it could be in the community interest.
To conclude, I would be willing to contribute to implement this feature if you express interest in it.
The text was updated successfully, but these errors were encountered: