2022 Gartner® Magic Quadrant™ SIEM
Get the reportMore
Kubernetes is first and foremost an orchestration engine that has well-defined interfaces that allows for a wide variety of plugins and integrations to make it the industry leading platform in the battle to run the world’s workloads. From machine learning to running the applications a restaurant needs, Kubernetes has proven it can run things.
All these workloads, and the Kubernetes platform itself, produce output that is most often in the form of logs. Kubernetes has some very limited capabilities to view – and in some cases collect – its internal logs, and the logs generated by all the individual workloads it is running most often in the form of ephemeral containers. This article will cover how Kubernetes logging is structured, how to use its native functionality, and how to use a third-party logging engine to really enhance what can be done with logos generated within a Kubernetes environment.
[Watch: Kubernetes Observability]
The most basic form of logging in Kubernetes is the output generated by individual containers using stdout and stderr. The output for the current running container instance is available to be accessed via the kubectl logs command.
The next level up of logging in the Kubernetes world is called node level logging. This is broken down into two components: the actual log files being stored; and the Kubernetes side, which allows the logs to be viewed remotely and removed, under certain circumstances.
The actual files are created by the container runtime engine – like Docker containerd – and contain the output from stdout and stderr. There are files for every running container on the host, and these are what Kubernetes reads when kubectl logs is run. Kubernetes is configured to know where to find these log files and how to read them through the appropriate log driver, which is specific to the container runtime.
Kubernetes has some log rotating capabilities, but it is limited to when a pod is evicted or restarted. When a pod is evicted, all logs are removed by kubelet. When a pod is restarted, kubelet keeps the current logs and the most recent version of the logs from before the restart. Any older logs are removed. This is great, but does not help keep the logs from long-running pods under control.
For any live environment with a constant stream of new log entries being generated, the reality of disk space not being infinite becomes very real the first time an application crashes due to no available space. To mitigate this, it is best practice to implement some kind of log rotation on each node that will take into account both the number of pods that potentially will be run on the node, and the disk space that is available to support logging.
While Kubernetes itself can not handle scheduled log rotation, there are many tools available that can. One of the more popular tools is logrotate, and like most other tools in the space, it can rotate based on time (like once a day), the size of the file, or a combination of both. Using size as one of the parameters makes it possible to do capacity planning to ensure there is adequate disk space to handle all the number of pods that could potentially run any given node.
There are two types of system components within Kubernetes: those that run as part of the OS, and those that run as containers managed by kubelet. As kubelet and the container runtime run as part of the operating system, their logs are consumed using the standard OS logging frameworks. As most modern Linux operating systems use systemd, all the logs are available via journalctl. In non-systemd Linux distributions these processes create “.log” files in the /var/logs/ directory.
The second type of system components that run as containers – like the schedule, api-manager, and cloud-controller-manager -– have their logs managed by the same mechanisms as any other container on any host in that Kubernetes cluster.
The bad news about cluster-level logging in Kubernetes is that Kubernetes has no native cluster-level logging. The good news is that there are a few proven methods that can be applied cluster-wide to provide the same effective result of all the logs being collected in a standardized way and sent to a central location.
The most widely-used methods are:
Installing a running agent on every node, preferably as a DaemonSet in Kubernetes, but it could be at the Operating System level.
Benefits are that it requires no changes to the Kubernetes cluster and can be extended to capture other system logs. But the downfall is that it requires a container to run with elevated privileges to access the files that some environments will not be friendly too.
This actually has two options for deployment; the first being the sidecar simply diverts all the log traffic to a custom stdout file that is watched by a custom node logging agent and then shipped off. Or, the sidecar can ship traffic directly to the central logging repository.
While this option requires no changes to the individual container images, it does require changes to the deployment specification for every application that is deployed. This is a great option if you can not run containers with elevated privileges, or only want to send different applications to different logs repositories. But that flexibility comes with many more moving parts to configure than the node-agent option that needs to be watched.
Configuring the applications directly has the same benefits as the sidecar option listed above, and can potentially provide even more valuable information as the application development team can tailor what messages are being generated. The biggest downfall revolves around the fact it is upstream in the application lifecycle and, therefore, needs involvement from the development teams to ensure it is implemented. This leads to additional cross-team coordination and can increase timelines when changes are required, due to the nature of a larger group being involved in all related activities.
Viewing logs with Kubernetes native tools is completely centered around the kubectl command line utility. The single-most useful piece of documentation around kubectl is the cheat sheet that is part of the official documentation, as it tracks all the options and parameters that are available through the command.
First up is the most basic commands that will get used to view the logs from a known container. You can view individual log streams (stdout or stderr, for example), but most people just view all the logs for more context.
$ kubectl logs apache-httpd-pod 10.2.1.1 - - [15/Aug/2017:21:30:32 +0000] "GET / HTTP/1.1" 200 576 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36" "127.0.0.1"
If you wish to follow the live stream of log entries (i.e., tail -f in Linux/UNIX) then add the -f flag to the above command before the pod name, and it will provide the same functionality. It would look like:
$ kubectl logs -f apache-httpd-pod
In the event that you only want to view logs that have been generated within a certain time period, then you can use the --since flag to provide that functionality. This command will pull back all log entries created in the last hour.
$ kubectl logs --since=1h apache-httpd-pod
If the pod has multiple containers, and the logs you need are from just one of the containers, then the logs command allows for further refinement by appending -c container_name to the end of the command.
$ kubectl logs apache-httpd-pod -c httpd-server
Kubernetes has the ability to group pods into namespaces for segmentation and easier applications of things like role-based access control. Because of the sheer number of namespaces and pods that can often be in a Kubernetes cluster, it is a common occurance to need to reference a pod or resource that is defined in another namespace. To access other namespaces without changing your default, you can add -n namespace_name to the beginning of a kubectl command to context switch.
$ kubectl -n f5-namespace logs nginx-pod
There are multiple other options available within logs that can be useful, including displaying logs from pods that are part of a specific deployment.
$ kubectl logs deployment/random-deployment
Beyond the logs, which have some traces in them, if you want to get more metrics to see the holistic view of the cluster and get closer to the idea of the Three Pillars of Observability, you can use additional commands like kubectl get pods to list running pods and kubectl top to see how many resources are being used by individual pods or nodes in the cluster.
To show what logging looks like in Kubernetes, we first need to create a pod that will generate logs. For this purpose we will create a simple pod using busybox that will run a continuous loop, and output the current date and time every second.
$ cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: counter spec: containers: - name: count image: busybox args: [/bin/sh, -c, 'i=0; while true; do echo "$i: $(date)"; i=$((i+1)); sleep 1; done'] EOF
Will create one pod
The output from these logs will look like
$ kubectl logs counter 0: Mon Jan 1 00:00:00 UTC 2001 1: Mon Jan 1 00:00:01 UTC 2001 2: Mon Jan 1 00:00:02 UTC 2001
Next step is to configure node-level logging so we can see and ship all the logs on each node to a central server. To do this with Fluentd requires it to have a namespace, a secret with several variables set for things like log target and api keys, and finally the actual deployment of Fluentd using something like a DaemonSet so it runs on every node. Explicit details on the installation are maintained by Sumo Logic on GitHub.
In the event that logs are produced outside of stdout and stderr, the pod will need to mount a local volume on the node so the logs are available outside of the running containers and then the logging-agent – in this case Fluentd – can be configured to pick up those log files. This is done by adding a new source section to the fluentd.conf file, and restarting the service. Specific details on how this would work are located in Fluentd’s documentation. This below example would pick up an Apache access_log.
<source> @type tail path /mnt/apache-httpd-pod/httpd-server/access_log pos_file /var/log/td-agent/apache2.access_log.pos <parse> @type apache2 </parse> </source>
There are two ways to enable collection of logs for Sumo Logic. The first is via Helm, to install and configure the Kubernetes cluster directly, which will be the method recommended for most deployments using vanilla Kubernetes or an offering from a public cloud provider like EKS or GKE.
The second way is to leverage tools that may already be active in the cluster, like Prometheus. This will be the preferred when the Kubernetes cluster is in one of the distributions that target on-premise enterprise deployments, like Red Hat OpenShift, so they automatically configure advanced monitoring services as part of cluster creation.
Sumo Logic has a platform that really helps companies see all Three Pillars of Observability, which are logs, metrics, and traces. The Kubernetes application, which Sumo Logic has created for their platform, actively ingests metrics and logs into their platform from connected Kubernetes clusters so they can be processed and then visualized through both predefined and custom-made dashboards to increase transparency and expose the important information from Kubernetes – like detailed cluster health and resource utilization – in addition to building trends that allow for earlier detection of anomalies in the monitored clusters.
In addition to visualization, once the data from Kubernetes has been processed in the Sumo Logic platform, it can also be queried using Sumo Logic’s powerful query language, to make analysis easier and give the ability to correlate data from additional log sources to provide a holistic view of your infrastructure.
Kubernetes is a powerful tool that greatly simplifies the process of deploying complex containerized applications at scale. Yet, like any powerful software platform, Kubernetes must be monitored effectively in order to do its job well. Without the right Kubernetes monitoring tools and procedures in place, teams risk sub-optimal performance or even complete failure of their Kubernetes-based workloads.
To help get started building and implementing a Kubernetes monitoring strategy, this page breaks down the different parts of Kubernetes and explains how to monitor each. It also discusses key Kubernetes monitoring metrics and offers tips on best practices that will help you get the most out of your Kubernetes monitoring strategy.
Now that we know what goes into monitoring Kubernetes, let's discuss how to monitor all of the pieces. In order to simplify your Kubernetes monitoring strategy, it's helpful to break monitoring operations down into different parts, each focused on a different "layer" of your Kubernetes environment or part of the overall workload (clusters, pods, applications and the end-user experience).
The highest-level component of Kubernetes is the cluster. As noted above, in most cases each Kubernetes installation consists of only one cluster. Thus, by monitoring the cluster, you gain an across-the-board view of the overall health of all of the nodes, pods and applications that form your cluster. (If you use federation to maintain multiple clusters, you'll have to monitor each cluster separately. But that is not very difficult, especially because it would be very rare to have more than two or three clusters per organization.)
Specific areas to monitor at the cluster level include:
While cluster monitoring provides a high-level overview of your Kubernetes environment, you should also collect monitoring data from individual pods. This data will provide much deeper insight into the health of pods (and the workloads that they host) than you can glean by simply identifying whether or not pods are running at the cluster level.
When monitoring pods, you'll want to focus on:
Although applications are not a specifically defined component within Kubernetes, hosting applications is a reason why you ultimately use Kubernetes in the first place. Thus, it's important to monitor the applications being hosted on your cluster (or clusters) by checking:
Problems revealed by application monitoring in Kubernetes could be the result of an issue with your Kubernetes environment, or they could be rooted in your application code itself. Either way, you'll want to be sure to identify the problem so you can correct it
Like applications, the end-user experience is not a technical part of the Kubernetes platform. But delivering a positive experience for end-users – meaning the people who use the applications hosted on Kubernetes – is a critical consideration for any successful Kubernetes strategy.
Toward that end, it's important to collect data that provides insight into the performance and usability of applications. We discussed some of this above in the context of monitoring for application responsiveness, which provides insight into performance. When it comes to assessing usability, performing both synthetic and real-user monitoring is critical for understanding how users are interacting with Kubernetes workloads and whether there are any adjustments you can make within Kubernetes (such as enhancing your application frontend) to improve usability.
In addition to the various Kubernetes monitoring considerations described above, which apply to any type of Kubernetes environment, there are some special factors to weigh when you're running Kubernetes in the cloud.
In a cloud-based installation, you'll also need to monitor for:
Network performance: In the cloud, the network is often the biggest performance bottleneck for your applications. Monitoring the cloud network to ensure that it is moving data as quickly as you need, helps to safeguard against network-related performance issues.
With your load balancer configured, you can trust that requests to your services will be dispatched efficiently, ensuring smoother performance and enabling you to handle greater loads. For many of us, however, trust must be earned, and “seeing is believing,” as the old adage goes. If you want to see your load balancer in action so that you know it’s operating as it should, you need a way to visualize your Kubernetes services and monitor their performance. The Sumo Logic Kubernetes App provides visibility on all your nodes, allowing you to monitor and troubleshoot load balancing as well as myriad other metrics to track the health of your clusters. You can track the loads being placed on each service to verify that resources are being shared evenly, and you can also monitor the load balancing service itself from a series of easy-to-understand dashboards.
If your application must handle an unpredictable number of requests, a load balancer is essential for ensuring reliable performance without the cost of over-provisioning. Depending on the number of services you need to route traffic to, as well as the level of complexity you are willing to accept, you might choose to use Ingress or the external load balancing service offered by your cloud provider. Regardless of how you implement your load balancing, monitoring its performance through the Sumo Logic Kubernetes App will allow you to measure its benefits and quickly react when it is not operating as it should.
Now that we know which types of monitoring to perform for Kubernetes, let's discuss the specific metrics to collect in order to achieve visibility into a Kubernetes installation.
Common metrics refer to metrics you can collect from the code of Kubernetes itself, which is written in Golang. This information helps you understand what is happening deep under the hood of Kubernetes.
A summary of the GC invocation durations
Number of OS threads created
Number of goroutines that currently exist
API Server, Controller Manager
Counter of etcd helper cache hits
API Server, Controller Manager
Counter of etcd helper cache misses
API Server, Controller Manager
Latency in microseconds of adding an object to etcd cache
API Server, Controller Manager
Latency in microseconds of getting an object from etcd cache
API Server, Controller Manager
Etcd request latency summary in microseconds for each operation and object type
Since APIs serve as the glue that binds the Kubernetes frontend together, API metrics are crucial for achieving visibility into the API Server – and, by extension, into your entire frontend.
Count of apiserver requests broken out for each verb, API resource, client, and HTTP response contentType and code
Response latency distribution in microseconds for each verb, resource and subresource
Since Etcd stores all of the configuration data for Kubernetes itself, Etcd metrics deliver critical visibility into the state of your cluster.
1 if a leader exists, 0 if not
Number of leader changes
Number of proposals that have been applied
Number of proposals that have been committed
Number of proposals that are pending
Number of proposals that have failed
Actual size of database usage after a history compaction
Latency distributions of commit called by the backend
Latency distributions of fsync calle by wal
Total number of bytes received by gRPC clients
Total number of bytes sent by gRPC clients
Total number of gRPC’s started on the server
Total number of gRPC’s handled on the server
Monitoring latency in the Scheduler helps identify delays that may arise and prevent Kubernetes from deploying pods smoothly.
The end-to-end scheduling latency, which is the sum of the scheduling algorithm latency and the binding latency
Watching the requests that the Controller makes to external APIs helps ensure that workloads can be orchestrated successfully, especially in cloud-based Kubernetes deployments.
The latency of the cloud provider API call
Cloud provider API request errors
Kube-State-Metrics is an optional Kubernetes add-on that generates metrics from the Kubernetes API. These metrics cover a range of resources; following, are the most valuable ones.
The current phase of the pod
Limit on CPU cores that can be used by the container
Limit on the amount of memory that can be used by the container
The number of requested cores by a container
The number of requested memory bytes by a container
Will be 1 if the container is ready, and 0 if it is in a not ready state
Total number of restarts of the container
The reason that the container is in a terminated state
The reason that the container is in a waiting state
The number of nodes that should be running the pod
The number of nodes that should be running the pod, but are not able to
The number of desired pod replicas for the Deployment
The number of unavailable replicas per Deployment
Whether a node can schedule new pods or not
The total CPU resources available on the node
The total memory resources available on the node
The number of pods the node can schedule
The current status of the node
Monitoring the Kubelet agent will help ensure that the Control Plane can communicate effectively with each of the nodes that Kubelet runs on. Beyond the common GoLang runtime metrics described above, Kubelet exposes some internals about its actions that are good to track as well.
The number of containers that are currently running
The cumulative number of runtime operations available by the different operation types
The latency of each operation by type in microseconds
Monitoring standard metrics from the operating systems that power Kuberntees nodes provides insight into the health of each node. Common node metrics to monitor include CPU load, memory consumption, filesystem activity and usage and network activity.
While metrics from Kubernetes can provide insight into many parts of your workload, you should also home in on individual containers to monitor for resource consumption. CAdvisor, which analyzes resource usage inside containers, is helpful for this purpose.
When you need to investigate an issue revealed by metrics, logs are invaluable for diving deeper by collecting information that goes beyond metrics themselves. Kubernetes offers a range of logging facilities for most of its components. Applications themselves also typically generate log data.
With the Sumo Logic Kubernetes App, collecting and analyzing monitoring data from across your Kubernetes environment is simple. Sumo Logic does the hard work of collecting metrics from Kubernetes’s many different parts, then aggregates them and provides you with data analytics tools for making sense of all of the data.
Just as Kubernetes makes it practical to manage complex containerized applications at scale, Sumo Logic makes it possible to monitor Kubernetes itself – a task that would be all but impossible without Sumo Logic’s ability to streamline the monitoring and analytics process.
Reduce downtime and move from reactive to proactive monitoring.
Monitor, troubleshoot and secure your Kubernetes clusters with Sumo Logic Continuous Intelligence solution for Kubernetes.Chart your course