Diagnostic Logs from Azure Kubernetes Service to Azure Monitor

Question

Pulumi · Accepted Answer

To enable diagnostic logs from Azure Kubernetes Service (AKS) and send them to Azure Monitor, we need to configure logging on the AKS and set up Azure Monitor to collect and analyze those logs. The idea is to use AKS's built-in capability to export logs and metrics to Azure Monitor Logs workspace for monitoring and analysis.

Here's how to accomplish this with Pulumi in Python:

1. **Create or specify an existing Azure Monitor Log Analytics Workspace**: This is where logs and metrics from AKS will be collected.
2. **Deploy an AKS Cluster**: We need to have an Azure Kubernetes Service instance where we'll enable diagnostic settings to forward logs.
3. **Configure Diagnostic Settings on AKS**: Enable diagnostics to send logs to Azure Monitor Logs workspace.

The following program demonstrates how to set this up. It assumes that you've already configured Pulumi for use with Azure, and that you've logged into the Azure CLI.

Let’s begin by explaining each resource and its purpose in the program:

- `LogAnalyticsWorkspace`: This resource creates an instance of Azure Monitor Log Analytics workspace which is the destination for the diagnostic logs.

- `ManagedCluster`: Represents our AKS cluster to which we will attach the diagnostic settings.

- `DiagnosticSetting`: A resource to configure the AKS cluster to export diagnostic logs and metrics to the specified Log Analytics workspace.

The program uses the `azure-native` Pulumi provider, which is a native Azure provider built on top of REST API specs and delivers same-day access to new Azure features and services.

Here is the Pulumi program in Python:

```python
import pulumi
from pulumi_azure_native import containerservice, insights, resources, operationalinsights

# Step 1: Create an Azure Resource Group
resource_group = resources.ResourceGroup("resourcegroup")

# Step 2: Create an Azure Monitor Log Analytics Workspace
log_analytics_workspace = operationalinsights.Workspace("logAnalyticsWorkspace",
    resource_group_name=resource_group.name,
    sku=operationalinsights.WorkspaceSkuArgs(
        name="PerGB2018"  # This SKU supports log analytics needed for AKS diagnostic logs
    ),
    location=resource_group.location,
    retention_in_days=30  # Logs retention period; set based on your requirements
)

# Step 3: Deploy an AKS Cluster
aks_cluster = containerservice.ManagedCluster("aksCluster",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    dns_prefix="akspulumi",
    agent_pool_profiles=[{
        "count": 1,
        "vm_size": "Standard_DS2_v2",
        "name": "agentpool",
        "mode": "System",
    }],
    identity=containerservice.ManagedClusterIdentityArgs(
        type="SystemAssigned"
    ),
)

# Step 4: Enable Diagnostic Settings for AKS to send logs to Azure Monitor Logs Workspace
diagnostic_setting = insights.DiagnosticSetting("diagnosticSetting",
    target_resource_id=aks_cluster.id,
    logs=[insights.LogSettingsArgs(
        category="kube-apiserver",
        enabled=True,
        retention_policy=insights.RetentionPolicyArgs(
            enabled=False,
            days=0
        )
    )],
    workspace_id=log_analytics_workspace.id,
    resource_group_name=resource_group.name
)

# Export the necessary outputs
pulumi.export("resource_group_name", resource_group.name)
pulumi.export("log_analytics_workspace_id", log_analytics_workspace.id)
pulumi.export("aks_cluster_name", aks_cluster.name)
```

This program starts by creating an Azure Resource Group to contain our resources. Then, it creates an Azure Monitor Log Analytics Workspace with the `PerGB2018` SKU, which supports the log analytics needed for AKS diagnostic logs. We then deploy an AKS cluster and enable system-assigned identity, as it is required by AKS to interact with other Azure services.

Finally, we configure the diagnostic settings for AKS, specifying which logs to collect—in this case, `kube-apiserver` logs—and linking it to the Log Analytics workspace we created earlier. The retention policy in the `diagnostic_setting` is set to zero since we won't be storing logs within the AKS resource itself but in the Log Analytics workspace.

The `pulumi.export` statements at the end of the program output essential identifiers which could be used in other programs or for reference.

To get the program running, you will need to have the Pulumi CLI installed and configured to access your Azure account. Once the setup is done, you can run the program using the Pulumi CLI command `pulumi up`, which will provision the resources as per the Pulumi program on your Azure account.