Enable Amazon EKS Control Plane Logging

This guide will walk you through enabling Amazon EKS control plane logging and sending logs to CloudWatch Logs.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-cluster)
    root@rok-tools:~/ops/deployments# export EKS_CLUSTER
  3. Enable Amazon EKS control plane logging:

    root@rok-tools:~/ops/deployments# aws eks update-cluster-config \ > --name ${EKS_CLUSTER?} \ > --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'

    Troubleshooting

    InvalidParameterException

    If the command failed with the following message:

    An error occurred (InvalidParameterException) when calling the UpdateClusterConfig operation: No changes needed for the logging config provided

    it means that you have already enabled Amazon EKS control plane logging. Ingore this error and proceed.

Verify

  1. Verify that you have enabled control plane logging for your EKS cluster:

    root@rok-tools:~/ops/deployments# aws eks describe-cluster \ > --name ${EKS_CLUSTER?} \ > --query cluster.logging.clusterLogging[].[types,enabled] \ > --output text \ > | paste - - True api audit authenticator controllerManager scheduler
  2. Verify that you have enabled logging for your EKS control plane. Check that the corresponding log group has been created in Amazon CloudWatch Logs:

    root@rok-tools:~/ops/deployments# aws logs describe-log-groups \ > --log-group-name-prefix /aws/eks/${EKS_CLUSTER?} \ > --query logGroups[].[logGroupName] \ > --output text /aws/eks/arrikto-cluster/cluster

Summary

You have successfully enabled logging for your EKS control plane.

What’s Next

The next step is to create an IAM role for FluentD.