Chainguard Container for fluentd-kubernetes-daemonset

Wolfi-based images that provide Fluentd DaemonSets for Kubernetes.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/fluentd-kubernetes-daemonset:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

Currently, Chainguard only provides an image for the Kinesis DaemonSet. Images for other DaemonSets are not currently provided, but may be requested.

The Chainguard Fluentd Kubernetes DaemonSet Images are comparable to the official Fluentd Kubernetes DaemonSet Images from Docker Hub. However, the Chainguard images contain only the minimum set of tools and dependencies needed to function; for example, they do not include a package manager. Unlike many other Chainguard images, though, these images include a shell.

Getting Started

Kinesis DaemonSet

Create a new Kinesis stream in the AWS Management Console or using the AWS CLI by following the AWS documentation.

Deployment

cat > values.yaml <<EOF
variant: kinesis

image:
  repository: "cgr.dev/ORGANIZATION/fluentd-kubernetes-daemonset"
  pullPolicy: "Always"
  tag: "latest"

env:
  - name: K8S_NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
  - name: AWS_REGION
    value: "<AWS_REGION>"
  - name: AWS_ACCESS_KEY_ID
    value: "<AWS_ACCESS_KEY_ID>"
  - name: AWS_SECRET_ACCESS_KEY
    value: "<AWS_SECRET_ACCESS_KEY>"
  - name: AWS_PROFILE
    value: "<AWS_PROFILE>"
  - name: AWS_SESSION_TOKEN
    value: "<AWS_SESSION>"

fileConfigs:
  00_system.conf: |
    <system>
      log_level debug
    </system>
  04_outputs.conf: |
    <label @OUTPUT>
      <match **>
        @type kinesis_streams
        @id out_kinesis_streams
        endpoint https://<ENDPOINT>
        region <REGION>
        stream_name <STREAM_NAME>
    </label>
EOF

Replace the placeholder values with your AWS credentials and the Kinesis stream details, including the endpoint, region, and stream name.

Deploy the Fluentd Helm Chart with the provided values.yaml file:

helm repo add fluent https://fluent.github.io/helm-charts
helm repo update
helm install fluentd fluent/fluentd -f values.yaml

After a while, you should be see the [DEBUG] log in the fluentd Pods, indicating that the logs are being sent to the Kinesis stream:

$ kubectl logs daemonsets/fluentd

...
[debug]: #0 [out_kinesis_streams] fluentd-kubernetes-daemonset-test: Write chunk 62a9515075decf841a1cb6f2a29d21ef /  67 records /   40 KB
[debug]: #0 [out_kinesis_streams] fluentd-kubernetes-daemonset-test: Finish writing chunk
...

Finally, check the Kinesis records using the AWS Management Console or the AWS CLI:

aws --endpoint-url=https://<ENDPOINT> kinesis get-records \
  --shard-iterator "$(
    aws --endpoint-url=https://<ENDPOINT> \
      kinesis get-shard-iterator \
      --shard-iterator-type TRIM_HORIZON \
      --shard-id shardId-000000000000 \
      --stream-name <STREAM_NAME> \
      --query 'ShardIterator' \
      --output text
  )"

Documentation and Resources

Refer to the official documentation on the Fluentd DaemonSets for Kubernetes for further guidance on setup and configuration.

• Fluentd + Kubernetes documentation
• Fluentd Stream Processing with Kinesis
• Fluentd Helm Chart
• Fluentd Kinesis Plugin

Image Tagging

This image supports multiple Ruby versions and produces image tags in the following format:

cgr.dev/ORGANIZATION/fluentd-kubernetes-daemonset:<fluentd-version>-<component>-rb<ruby-version>

At present, this image only supports kinesis component with Ruby starting from version 3.1.x to 3.4.x.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.