FluentBit设置

Question

我正试图通过FluentBit模块为Terraform中的EKS集群设置这，我有以下几个问题：

cluster_identity_oidc_issuer -这是什么？坦率地说，我只是被告知要设置它，所以我对FluentBit知之甚少，但我假设这个“发行者”提供了一个具有所需权限的身份。例如，Okta？我们使用Okta，那么我在这里用什么作为值呢？

cluster_identity_oidc_issuer_arn --不知道这个值应该是什么。

worker_iam_role_name -在角色中具有自动标度功能(oidc)？

这就是eks.tf的样子：

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  cluster_name                    = "DevOpsLabs"
  cluster_version                 = "1.19"
  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  cluster_addons = {
    coredns = {
      resolve_conflicts = "OVERWRITE"
    }
    kube-proxy = {}
    vpc-cni = {
      resolve_conflicts = "OVERWRITE"
    }
  }

  vpc_id     = "xxx"
  subnet_ids = ["xxx","xxx", "xxx", "xxx"  ]


  self_managed_node_groups = {
    bottlerocket = {
      name = "bottlerocket-self-mng"

      platform      = "bottlerocket"
      ami_id        = "xxx"
      instance_type = "t2.small"
      desired_size  = 2

      iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]

      pre_bootstrap_user_data = <<-EOT
      echo "foo"
      export FOO=bar
      EOT

      bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"

      post_bootstrap_user_data = <<-EOT
      cd /tmp
      sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
      sudo systemctl enable amazon-ssm-agent
      sudo systemctl start amazon-ssm-agent
      EOT
    }
  }
}

对于role.tf：

data "aws_iam_policy_document" "cluster_autoscaler" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:DescribeAutoScalingInstances",
      "autoscaling:DescribeLaunchConfigurations",
      "autoscaling:DescribeTags",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup",
      "ec2:DescribeLaunchTemplateVersions",
    ]

    resources = ["*"]
  }
}

module "config" {
  source  = "github.com/ahmad-hamade/terraform-eks-config/modules/eks-iam-role-with-oidc"
  cluster_name     = module.eks.cluster_id
  role_name        = "cluster-autoscaler"
  service_accounts = ["kube-system/cluster-autoscaler"]
  policies         = [data.aws_iam_policy_document.cluster_autoscaler.json]

  tags = {
    Terraform = "true"
    Environment = "dev-test"
  }
}

Answer 1

由于您使用的是Terraform模块，您可以通过查看Outputs选项卡1来访问创建的资源的属性。

• cluster_id
• cluster_oidc_issuer_url
• oidc_provider_arn

可以使用以下语法访问它们：

module.<module_name>.<output_id>

在您的示例中，您将使用以下语法获得所需的值：

• cluster_id -> module.eks.cluster_id
• cluster_oidc_issuer_url -> module.eks.cluster_oidc_issuer_url
• oidc_provider_arn -> module.eks.oidc_provider_arn

并将它们分配给来自FluentBit模块的输入：

  cluster_name                     = module.eks.cluster_id
  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn

对于worker角色，我没有看到来自eks模块的输出，所以我认为这可能是config模块2的输出

worker_iam_role_name = module.config.iam_role_name

配置的OIDC部分来自EKS集群3。另一篇详细的博客文章可以在这里找到。

1

2

3.

4.