Enable Cluster Integration with Simple Log Service

Risk Level: Low (generally tolerable level of risk)

Ensure that cluster integration with Simple Log Service (SLS) is enabled for your serverless Container Service for Kubernetes (ACK) clusters in order to collect log data from containers. Simple Log Service is a comprehensive real-time data logging solution, facilitating the seamless handling of log collection, shipping, search, storage, and analysis. The logging service provides a user-friendly interface for accessing the Log Viewer and an API for efficient log management.

Security

Enable Simple Log Service (SLS) integration for serverless ACK clusters for centralized logging and easier troubleshooting. It simplifies log management and helps you identify issues faster. You can enable the SLS integration when setting up an ACK cluster by installing the logtail-ds component. Once the logging service is activated, it collect log data from the containers within the ACK cluster, including standard output and text files.

Audit

To determine if the ACK cluster integration with Simple Log Service (SLS) is enabled, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

03 In the left navigation panel, under Overview, choose Clusters.

04 Click on the name (link) of the ACK cluster that you want to examine, listed in the Cluster Name/ID column.

05 In the ACK resource navigation panel, under Security, choose Cluster Auditing.

06 Check the Cluster Auditing dashboard available for the selected cluster. If there is no Cluster Auditing dashboard available, instead a Get Started page with the following message is displayed: Enable Cluster Auditing Now - The Log Service or Cluster Auditing feature is not enabled on the current cluster., the cluster integration with Simple Log Service (SLS) is not enabled for the selected ACK cluster.

07 Repeat steps no. 4 – 6 for each Container Service for Kubernetes (ACK) cluster available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run GET /clusters command (OSX/Linux/UNIX) to describe the configuration details for each Container Service for Kubernetes (ACK) cluster provisioned in your Alibaba Cloud account:

aliyun cs GET /clusters 
  --header "Content-Type=application/json;"
  --body "{}"

02 The command output should return the configuration information available for each available ACK cluster (including the cluster ID, i.e. "cluster_id"):

[
	{
		"cluster_id": "abcd1234abcd1234abcd1234abcd1234a",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-03-06T10:30:11+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"updated": "2024-03-06T10:30:11+08:00",
		"zone_id": "eu-west-1a"
	},
	{
		"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
		"cluster_spec": "ack.standard",
		"cluster_type": "ManagedKubernetes",
		"created": "2024-03-06T14:05:11+08:00",
		"current_version": "1.28.3-aliyun.1",
		"deletion_protection": false,
		"init_version": "1.28.3-aliyun.1",
		"profile": "Default",
		"region_id": "eu-west-1",
		"size": 1,
		"state": "running",
		"subnet_cidr": "10.65.0.0/16",
		"updated": "2024-03-06T14:05:11+08:00",
		"zone_id": "eu-west-1a"
	}
]

03 Run GET /clusters/[cluster_id] command (OSX/Linux/UNIX) with the ID of the ACK cluster that you want to examine as the identifier parameter, to describe the configuration metadata available for the selected cluster:

aliyun cs GET /clusters/abcd1234abcd1234abcd1234abcd1234a 
  --header "Content-Type=application/json;" 
  --body "{}" 
  --output cols=meta_data

04 The command output should return the configuration metadata available for the selected ACK resource:

meta_data
---------
{
	"CloudMonitorVersion": "",
	"DockerVersion": "",
	"EtcdVersion": "v3.5.9",
	"ExtraCertSAN": null,
	"HasSandboxRuntime": false,
	"IPStack": "ipv4",
	"ImageType": "AliyunLinux3",
	"KubernetesVersion": "1.28.3-aliyun.1",
	"Timezone": "",
	"VSwitchIds": null,
	"VersionSpec": null,

	...

	"AuditProjectName": "",

	...

	"alicloud-monitor-controllerVersion": "v1.8.4",
	"cloud-controller-managerVersion": "v2.8.1",
	"corednsVersion": "v1.9.3.10-7dfca203-aliyun",
	"csi-pluginVersion": "v1.28.3-eb95171-aliyun",
	"csi-provisionerVersion": "v1.28.3-eb95171-aliyun",
	"gateway-apiVersion": "1.0.1",
	"kube-apiserverVersion": "v1.28.3-aliyun.1",
	"kube-controller-managerVersion": "v1.28.3-aliyun.1",
	"metrics-serverVersion": "v0.3.9.7-85b3699-aliyun",
	"storage-operatorVersion": "v1.28.2-be0cf84-aliyun"
}

Check the "AuditProjectName" attribute value to identify the Simple Log Service (SLS) project configured to manage cluster logging. If the "AuditProjectName" attribute has no value (i.e. ""), there is no SLS project configured to collect log data for your cluster, therefore, the cluster integration with Simple Log Service (SLS) is not enabled for the selected ACK cluster.

Remediation / Resolution

To enable cluster integration with Simple Log Service (SLS) for your serverless ACK clusters, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service console available at https://sls.console.aliyun.com.

03 Choose Create Project to create a new Simple Log Service (SLS) project for managing your Container Service for Kubernetes (ACK) cluster logs.

04 On the Create Project setup page, provide a unique name for your new project, select the region where your ACK cluster resides, choose the appropriate resource group and logging level, and select Create to create your new SLS project.

05 Choose Create Logstore and follow the setup wizard to create a Logstore for log data storage.

06 Navigate to Container Service for Kubernetes (ACK) console at https://cs.console.aliyun.com.

07 In the left navigation panel, under Overview, choose Clusters.

08 Choose Create Kubernetes Cluster, select ACK serverless and follow the setup wizard to create a new serverless ACK cluster.

09 On the Component Configurations setup page, in the Log Service section, perform the following actions:

Select the Enable Log Service setting checkbox to automatically install the logtail-ds component and enable the integration with the Simple Log Service (SLS) for collecting log data.
Choose Select Project and select the SLS project created at the previous steps. To automatically create a new SLS project for Simple Log Service (SLS) integration, choose Create Project.

10 After all the required settings are configured, choose Create Cluster to deploy your new Container Service for Kubernetes (ACK) cluster.

Using Alibaba Cloud CLI

01 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

02 Run create_project command (OSX/Linux/UNIX) to create the Simple Log Service (SLS) project that will manage the log data for your new ACK cluster (the command does not produce an output):

aliyunlog log create_project 
  --project_name=tm-sls-project 
  --project_des="SLS Project for ACK Cluster Logs" 
  --region-endpoint=eu-west-1.log.aliyuncs.com

03 Run create_logstore command (OSX/Linux/UNIX) to create a new Simple Log Service (SLS) Logstore for storing the log data collected from containers (the command does not produce an output):

aliyunlog log create_logstore 
  --project_name=tm-sls-project 
  --logstore_name=tm-sls-project-logstore

04 Run POST /clusters command (OSX/Linux/UNIX) to create a new serverless Container Service for Kubernetes (ACK) cluster. Include the following parameters in the command request: "logging_type":"SLS" and "controlplane_log_project":"\" to enable integration with the Simple Log Service (SLS):

aliyun cs POST /clusters 
  --header "Content-Type=application/json;" 
  --body "{\"name\":\"tm-new-ack-cluster\",\"region_id\":\"eu-west-1\",\"cluster_type\":\"Kubernetes\",\"vpcid\":\"vpc-abcd1234abcd1234abcda\",\"service_cidr\":\"192.168.0.0/16\",\"kubernetes_version\":\"1.28.3-aliyun.1\",\"vswitch_ids\":[\"vsw-1234abcd1234abcd1234a\"],\"logging_type\":\"SLS\",\"controlplane_log_project\":\"tm-sls-project\"}"

05 If successful, the output should return the ID of the new ACK cluster:

{
	"cluster_id": "1234abcd1234abcd1234abcd1234abcd1",
	"request_id": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"task_id": "T-abcdabcdabcdabcdabcdabcd"
}

References

Alibaba Cloud Documentation
Work with cluster auditing
Use container auditing
Collect log data from containers by using Log Service

Alibaba Cloud CLI Documentation
View all clusters
Create an ACK managed cluster

SLS CLI Documentation
create_project
create_logstore

Publication date Apr 26, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-SLS rules