Kubernetes Logging with Filebeat and Elasticsearch Part 1

January 9, 2020

Table of Contents

1. Introduction

2. Deployment Architecture

          2.1 Deployment and Headless Service for Master Nodes

          2.2 Data Nodes Deployment

          2.3 Client Nodes Deployment

          2.4 Scaling Considerations

3. Deploying Kibana and ES-HQ

          3.1 Kibana Deployment

          3.2 ES-HQ Deployment

4. Conclusion

1. Introduction 

This is the first post of a 2 part series where we will set-up production grade Kubernetes logging for applications deployed in the cluster and the cluster itself. We will be using Elasticsearch as the logging backend for this. The Elasticsearch setup will be extremely scalable and fault tolerant.

2. Deployment Architecture

  • Elasticsearch Data Node Pods are deployed as a Stateful Set with a headless service to provide Stable Network Identities.
  • Elasticsearch Master Node Pods are deployed as a Replica Set with a headless service which will help in Auto-discovery.
  • Elasticsearch Client Node Pods are deployed as a Replica Set with an internal service which will allow access to the Data Nodes for R/W requests.
  • Kibana and ElasticHQ Pods are deployed as Replica Sets with Services accessible outside the Kubernetes cluster but still internal to your Subnetwork (not publicly exposed unless otherwise required).
  • HPA (Horizontal Pod Auto-scaler) deployed for Client Nodes to enable auto-scaling under high load.

Important things to keep in mind:

  1. Setting ES_JAVA_OPTS env variable.
  2. Setting CLUSTER_NAME env variable.
  3. Setting NUMBER_OF_MASTERS (to avoid split-brain problem) env variable for master deployment. In case of 3 masters we have set it as 2.
  4. Setting correct Pod-AntiAffinity policies among similar pods in order to ensure HA if a worker node fails.

Let’s jump right at deploying these services to our GKE cluster.

2.1 Deployment and Headless Service for Master Nodes

Deploy the following manifest to create master nodes and the headless service:


<p>CODE:https://gist.github.com/denshirenji/75ffa72c1c1e7463ceff33ee11a5702e.js</p>

If you follow the logs of any of the master-node pods, you will witness the master election among them. This is when the master-node pods choose which one is the leader of the group. When following the logs of the master-nodes, you will also see when new data and client nodes are added.

<p>CODE:https://gist.github.com/denshirenji/96fcf9c6b00f7b169bb381e1c3bf6764.js</p>


It can be seen above that the es-master pod named es-master-594b58b86c-bj7g7 was elected as the leader and the other 2 pods were added to the cluster. 

The headless service named elasticsearch-discovery is set by default as an env variable in the docker image and is used for discovery among the nodes. This can of course be overridden.


2.2 Data Nodes Deployment

We will use the following manifest to deploy Stateful Set and Headless Service for Data Nodes:

<p>CODE:https://gist.github.com/denshirenji/f66b019cbcba4aac6a464ae498d0e53a.js</p>

The headless service in the case of data nodes provides stable network identities to the nodes and also helps with the data transfer among them.

It is important to format the persistent volume before attaching it to the pod. This can be done by specifying the volume type when creating the storage class. We can also set a flag to allow volume expansion on the fly. More can be read about that here.

<p>CODE:https://gist.github.com/denshirenji/79b6e5be988846a9fa67805e3892fc27.js</p>


2.3 Client Nodes Deployment

We will use the following manifest to create the Deployment and External Service for the Client Nodes:


<p>CODE:https://gist.github.com/denshirenji/070ffc76037701ce6b5e68aa3c22beab.js</p>

The purpose of the service deployed here is to access the ES Cluster from outside the Kubernetes cluster but still internal to our subnet. The annotation “cloud.google.com/load-balancer-type: Internal” ensures this.

However, if the application reading/writing to our ES cluster is deployed within the cluster then the Elasticsearch service can be accessed by http://elasticsearch.elasticsearch:9200.

Once all components are deployed we should verify the following:

1. Elasticsearch deployment from inside the Kubernetes cluster using an Ubuntu container.

<p>CODE:https://gist.github.com/denshirenji/cbfdeb7d101ff65c5b5c2d70b4906eaa.js</p>


2. Elasticsearch deployment from outside the cluster using the GCP Internal Load balancer IP (in this case 10.9.120.8). When we check the health using curl http://10.9.120.8:9200/_cluster/health?pretty  the output should be the same as above.

3. Anti-Affinity Rules for our ES-Pods:

<p>CODE:https://gist.github.com/denshirenji/2ea5e8033d7046dd19484d7f10eb4d87.js</p>


2.4 Scaling Considerations

We can deploy auto scalers for our client nodes depending on our CPU thresholds. A sample HPA for client node might look something like this:

<p>CODE:https://gist.github.com/denshirenji/deb274400a2162436ce4cbe8ce4f1ede.js</p>


Whenever the autoscaler kicks in, we can watch the new client-node pods being added to the cluster by observing the logs of any of the master-node pods.

In case of Data-Node Pods all we have to do is increase the number of replicas using the K8 Dashboard or GKE console. The newly created data node will be automatically added to the cluster and will start replicating data from other nodes.

Master-Node Pods do not require auto scaling as they only store cluster-state information. In case you want to add more data nodes make sure there is not an even number of master nodes in the cluster. Also, make sure the environment variable NUMBER_OF_MASTERS is updated accordingly.

<p>CODE:https://gist.github.com/denshirenji/5ccbefae1418a481cb0d2cf2cfbb58db.js</p>

The logs of the leading master pod clearly depict when each node gets added to the cluster. It is extremely useful in case of debugging issues.


3. Deploying Kibana and ES-HQ

Kibana is a simple tool to visualize ES-data and ES-HQ helps in the administration and monitoring of Elasticsearch clusters. For our Kibana and ES-HQ deployment we keep the following things in mind:

  • We must provide the name of the ES-Cluster as an environment variable to the docker image.
  • The service to access the Kibana/ES-HQ deployment is internal to our organisation only, i.e. No public IP is created. We will need to use a GCP Internal load balancer.


3.1 Kibana Deployment

We will use the following manifest to create Kibana Deployment and Service:

<p>CODE:https://gist.github.com/denshirenji/366426988b9c25ba7b63675645cb9465.js</p> 


3.2 ES-HQ Deployment

We will use the following manifest to create ES-HQ Deployment and Service:

<p>CODE:https://gist.github.com/denshirenji/cac4a07a49489f928947b1502be297f4.js</p>


We can access both these services using the newly created Internal LoadBalancers.
Go to http://<External-Ip-Kibana-Service>/app/kibana#/home?_g=()


Kibana Dashboard:

Go to http://<External-Ip-ES-Hq-Service>/#!/clusters/my-es

ElasticHQ Dashboard for Cluster Monitoring and Management


4. Conclusion

This concludes deploying ES backend for logging. The Elasticsearch we deployed can be used by other applications as well. The client nodes should scale automatically under high load and data nodes can be added by incrementing the replica count in the statefulset. We will also have to tweak a few env vars but it is fairly straightforward. In the next blog we will learn about deploying a Filebeat DaemonSet in order to send logs to the Elasticsearch backend.

MetricFire specializes in monitoring time-series, while Elasticsearch dominates the logs monitoring space. Try out the MetricFire product with our free trial to monitor your time-series data, or book a demo and talk to us directly about the monitoring solution that works for you. Stay tuned for part two :)

This article was written by our guest blogger Vaibhav Thakur. If you liked this article, check out his LinkedIn for more.

Related Posts

GET FREE PROMETHEUS monitoring FOR 14 Days