I am trying to create a daemonset that will collect logs from all the pods in a node from a specific namespace. I am not sure how I would specify a namespace name.
I have a namespace logging in which i deploy the daemonset. I created a serviceccount as below
apiVersion: v1
kind: ServiceAccount
metadata:
name: fluent-bit
namespace: logging
My cluster role looks like this
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: fluent-bit-read
rules:
- apiGroups: [""]
resources:
- namespaces
- pods
verbs: ["get", "list", "watch"]
role binding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: fluent-bit-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluent-bit-read
subjects:
- kind: ServiceAccount
name: fluent-bit
namespace: logging
Right now the daemonset collects logs from the path /var/log/containers/*.log which currently has log files from containers running in all namespaces. Is there a way I could restrict this daemonset to just collect logs from namespaces i need ?
Here is what we have in k8s documentation (link).
A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.
ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can’t be both.
So, in your case you need to make use of a Role and a RoleBinding instead of a ClusterRole and ClusterRoleBinding.