Kubernetes日志管理与最佳实践

张

张建站

2026/5/30 1:20:02

10分钟阅读

Kubernetes日志管理与最佳实践引言在云原生环境中日志是系统可观测性的重要组成部分。有效的日志管理能够帮助开发者快速定位问题、监控系统状态和进行安全审计。本文将深入探讨Kubernetes环境下的日志管理策略包括日志收集、存储、查询和分析的最佳实践。一、日志概述1.1 Kubernetes日志类型Kubernetes中的日志主要分为以下几类容器日志应用程序输出到stdout/stderr的日志系统日志Kubernetes组件如kubelet、kube-proxy的日志审计日志API Server的审计日志事件日志Kubernetes事件1.2 日志收集架构容器应用 - stdout/stderr - Docker日志驱动 - 日志收集器 - 日志存储 - 日志查询二、日志收集方案2.1 使用Fluentd收集日志apiVersion: v1 kind: ConfigMap metadata: name: fluentd-config data: fluent.conf: | source type tail path /var/log/containers/*.log pos_file /var/log/fluentd-containers.log.pos tag kubernetes.* read_from_head true /source filter kubernetes.** type kubernetes_metadata /filter match ** type elasticsearch host elasticsearch port 9200 index_name fluentd type_name _doc /match2.2 Fluentd DaemonSet部署apiVersion: apps/v1 kind: DaemonSet metadata: name: fluentd spec: selector: matchLabels: app: fluentd template: spec: containers: - name: fluentd image: fluent/fluentd-kubernetes-daemonset:v1.15.3-debian-elasticsearch7-1.0 env: - name: FLUENT_ELASTICSEARCH_HOST value: elasticsearch - name: FLUENT_ELASTICSEARCH_PORT value: 9200 volumeMounts: - name: varlog mountPath: /var/log - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: varlog hostPath: path: /var/log - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers2.3 使用Loki收集日志apiVersion: v1 kind: ConfigMap metadata: name: loki-config data: loki.yaml: | auth_enabled: false server: http_listen_port: 3100 ingester: lifecycler: address: 127.0.0.1 ring: kvstore: store: inmemory replication_factor: 1 final_sleep: 0s chunk_idle_period: 5m chunk_retain_period: 30s max_transfer_retries: 0 schema_config: configs: - from: 2020-10-24 store: boltdb-shipper object_store: filesystem schema: v11 index: prefix: index_ period: 24h storage_config: boltdb_shipper: active_index_directory: /loki/boltdb-shipper-active cache_location: /loki/boltdb-shipper-cache shared_store: filesystem filesystem: directory: /loki/chunks limits_config: enforce_metric_name: false reject_old_samples: true reject_old_samples_max_age: 168h2.4 Promtail配置apiVersion: v1 kind: ConfigMap metadata: name: promtail-config data: promtail.yaml: | server: http_listen_port: 9080 grpc_listen_port: 0 positions: filename: /tmp/positions.yaml clients: - url: http://loki:3100/loki/api/v1/push scrape_configs: - job_name: kubernetes-pods pipeline_stages: - docker: {} kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_label_app] action: replace target_label: app三、日志存储方案3.1 Elasticsearch部署apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 8.8.0 nodeSets: - name: default count: 3 config: node.store.allow_mmap: false3.2 Loki部署# 安装Loki Helm chart helm repo add grafana https://grafana.github.io/helm-charts helm repo update helm install loki grafana/loki \ --set persistence.enabledtrue \ --set persistence.size100Gi3.3 日志存储对比存储方案特点适用场景Elasticsearch全文搜索能力强功能丰富大规模日志分析Loki轻量级与Prometheus集成好云原生环境成本敏感Splunk企业级功能安全合规企业级日志管理DatadogSaaS服务开箱即用多云环境四、日志查询与分析4.1 Kibana日志查询# 查询特定Pod的日志 GET /fluentd/_search { query: { match: { kubernetes.pod.name: my-app-12345 } } } # 查询特定时间范围的日志 GET /fluentd/_search { query: { range: { timestamp: { gte: 2024-01-01T00:00:00, lte: 2024-01-02T00:00:00 } } } }4.2 Grafana Loki查询# 查询特定Pod的日志 {appmy-app} | error # 查询包含特定关键字的日志 {namespacedefault} | ERROR ! INFO # 统计日志数量 count_over_time({appmy-app}[5m])4.3 日志可视化DashboardapiVersion: v1 kind: ConfigMap metadata: name: grafana-dashboard data: dashboard.json: | { title: Kubernetes Logs Dashboard, panels: [ { type: logs, title: Pod Logs, targets: [ { expr: {app\my-app\}, datasource: Loki } ] }, { type: stat, title: Error Count, targets: [ { expr: count_over_time({app\my-app\} | \error\[1m]), datasource: Loki } ] } ] }五、日志最佳实践5.1 结构化日志{ timestamp: 2024-01-01T12:00:00Z, level: INFO, service: my-app, pod: my-app-12345, namespace: default, request_id: abc123, message: Request completed, duration_ms: 123, status_code: 200 }5.2 日志级别管理apiVersion: v1 kind: ConfigMap metadata: name: log-config data: LOG_LEVEL: INFO5.3 日志轮转配置apiVersion: v1 kind: ConfigMap metadata: name: docker-daemon-config data: daemon.json: | { log-driver: json-file, log-opts: { max-size: 10m, max-file: 5, compress: true } }六、日志安全6.1 敏感信息过滤apiVersion: v1 kind: ConfigMap metadata: name: fluentd-filter-config data: filter.conf: | filter kubernetes.** type record_transformer enable_ruby true record message ${record[message].gsub(/password[^]*/, password***)} message ${record[message].gsub(/token[^]*/, token***)} /record /filter6.2 日志访问控制apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: log-reader rules: - apiGroups: [] resources: [pods/log] verbs: [get]七、日志监控与告警7.1 日志告警规则apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: log-alerts spec: groups: - name: log.rules rules: - alert: HighErrorRate expr: sum(rate({appmy-app} | ERROR[5m])) 10 for: 5m labels: severity: warning annotations: summary: High error rate detected description: {{ $value }} errors per minute7.2 日志异常检测apiVersion: v1 kind: ConfigMap metadata: name: loki-alerting data: alerting.yaml: | groups: - name: log-alerts rules: - alert: LogPatternMatch expr: count_over_time({appmy-app} | CRITICAL ERROR[10m]) 1 for: 5m labels: severity: critical annotations: summary: Critical error detected in logs八、总结日志管理是Kubernetes可观测性的重要组成部分。通过合理配置日志收集、存储和查询方案可以实现对系统状态的全面监控和问题的快速定位。在实际生产环境中建议采用结构化日志格式、配置合理的日志轮转策略并建立完善的日志监控和告警体系。同时注意保护日志中的敏感信息确保日志数据的安全性和合规性。