You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

After installing an EKS cluster in AWS, logging is not enabled by default for the control plane due to data ingestion and storage costs. Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account which makes it easy to secure and run your clusters. You have flexibility to select the exact log types you need and sent them as log streams to a group for each Amazon EKS cluster in CloudWatch.

We had earlier done a separate guide on installation of EKS Cluster with eksctl. Confirm if you have an active Kubernetes EKS cluster in your AWS account.

$ eksctl get cluster
NAME			REGION
prod-eks-cluster	eu-west-1

There are a number of Amazon EKS control plane log types you can enable for each new or existing Amazon EKS cluster.

  • Kubernetes API server component logs (api) – Control plane API logs
  • Audit (audit) logs – Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster.
  • Authenticator (authenticator) logs – Unique to Amazon EKS. These logs represent the control plane component that Amazon EKS uses for Kubernetes Role Based Access Control (RBAC) authentication using IAM credentials.
  • Controller manager (controllerManager) logs – The controller manager manages the core control loops that are shipped with Kubernetes.
  • Scheduler (scheduler) logs – The scheduler component manages when and where to run pods in your cluster.

Enable Control Plane CloudWatch logging in EKS Cluster

Please note that CloudWatch Logs ingestion, archive storage, and data scanning rates apply to enabled control plane logs. For more information, see CloudWatch pricing.

Logging status can be checked on AWS console.

You can use AWS CLI to enable logging or with eksctl command line tool.

Enable EKS control plane logging with eksctl

The command to use is:

eksctl utils update-cluster-logging [flags]

You can view all available options with the command:

eksctl utils update-cluster-logging --help

To enable all types of logs, use all or *

eksctl utils update-cluster-logging --enable-types all

Supported log types to use are:

  • all
  • none
  • api
  • audit
  • authenticator
  • controllerManager
  • scheduler

To enable audit logs, run:

eksctl utils update-cluster-logging --enable-types audit

To enable all but controllerManager logs, run:

eksctl utils update-cluster-logging --enable-types=all --disable-types=controllerManager

For me I’ll enable all log types in my prod-eks-cluster cluster:

eksctl utils update-cluster-logging --enable-types all --cluster prod-eks-cluster --region eu-west-1 --approve

Command execution output:

[ℹ]  eksctl version 0.25.0
[ℹ]  using region eu-west-1
[ℹ]  will update CloudWatch logging for cluster "prod-eks-cluster" in "eu-west-1" (enable types: api, audit, authenticator, controllerManager, scheduler & no types to disable)
c[✔]  configured CloudWatch logging for cluster "prod-eks-cluster" in "eu-west-1" (enabled types: api, audit, authenticator, controllerManager, scheduler & no types disabled)

Logging status should change to enabled.

To disable use the command:

$ eksctl utils update-cluster-logging --disable-types all --cluster prod-eks-cluster --region eu-west-1 --approve
[ℹ]  eksctl version 0.25.0
[ℹ]  using region eu-west-1
[ℹ]  will update CloudWatch logging for cluster "prod-eks-cluster" in "eu-west-1" (no types to enable & disable types: api, audit, authenticator, controllerManager, scheduler)
[✔]  configured CloudWatch logging for cluster "prod-eks-cluster" in "eu-west-1" (no types enabled & disabled types: api, audit, authenticator, controllerManager, scheduler)

Enable EKS control plane logging with AWS CLI

Enable all logs:

aws eks --region eu-west-1 update-cluster-config --name prod-eks-cluster \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

Where:

  • prod-eks-cluster is the name of your cluster
  • eu-west-1 is the region where cluster was created

Disable with:

aws eks --region eu-west-1 update-cluster-config --name prod-eks-cluster \
--logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":false}]}'

Sample output:

{
    "update": {
        "id": "582a74a9-da01-4393-9169-3a3816965911",
        "status": "InProgress",
        "type": "LoggingUpdate",
        "params": [
            {
                "type": "ClusterLogging",
                "value": "{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":false}]}"
            }
        ],
        "createdAt": "2020-08-14T15:28:32.555000+03:00",
        "errors": []
    }
}

How To View cluster control plane logs

Once you’ve enabled Cluster logging you can use CloudWatch Console to view cluster control plane logs.

Related articles:

Install Kubernetes Metrics Server on Amazon EKS Cluster

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF