Monitor your cluster performance and view logs
You can observe your data in Amazon EKS using many available monitoring or logging tools. Your Amazon EKS log data can be streamed to AWS services or to partner tools for data analysis. There are many services available in the AWS Management Console that provide data for troubleshooting your Amazon EKS issues. You can also use an AWS-supported open-source solution for monitoring Amazon EKS infrastructure.
After selecting Clusters in the left navigation pane of the Amazon EKS console, you can view cluster health and details by choosing your cluster’s name and choosing the Observability tab. To view details about any existing Kubernetes resources that are deployed to your cluster, see View Kubernetes resources in the AWS Management Console.
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon EKS and your AWS solutions. We recommend that you collect monitoring data from all of the parts of your AWS solution. That way, you can more easily debug a multi-point failure if one occurs. Before you start monitoring Amazon EKS, make sure that your monitoring plan addresses the following questions.
-
What are your goals? Do you need real-time notifications if your clusters scale dramatically?
-
What resources need to be observed?
-
How frequently do you need to observe these resources? Does your company want to respond quickly to risks?
-
What tools do you intend to use? If you already run AWS Fargate as part of your launch, then you can use the built-in log router.
-
Who do you intend to perform the monitoring tasks?
-
Whom do you want notifications to be sent to when something goes wrong?
Monitoring and logging on Amazon EKS
Amazon EKS provides built-in tools for monitoring and logging. For supported versions, the observability dashboard gives visibility into the performance of your cluster. It helps you to quickly detect, troubleshoot, and remediate issues. In addition to monitoring features, it includes lists based on the control plane audit logs. The Kubernetes control plane exposes a number of metrics that that can also be scraped outside of the console.
Control plane logging records all API calls to your clusters, audit information capturing what users performed what actions to your clusters, and role-based information. For more information, see Logging and monitoring on Amazon EKS in the AWS Prescriptive Guidance.
Amazon EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. You can select the exact log types you need, and logs are sent as log streams to a group for each Amazon EKS cluster in CloudWatch. For more information, see Send control plane logs to CloudWatch Logs.
Note
When you check the Amazon EKS authenticator logs in Amazon CloudWatch, the entries are displayed that contain text similar to the following example text.
level=info msg="mapping IAM role" groups="[]" role="arn:aws:iam::111122223333:role/XXXXXXXXXXXXXXXXXX-NodeManagerRole-XXXXXXXX" username="eks:node-manager"
Entries that contain this text are expected. The username is an Amazon EKS internal service role that performs specific operations for managed node groups and Fargate.
For low-level, customizable logging, then Kubernetes logging
Amazon EKS is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon EKS. CloudTrail captures all API calls for Amazon EKS as events. The calls captured include calls from the Amazon EKS console and code calls to the Amazon EKS API operations. For more information, see Log API calls as AWS CloudTrail events.
The Kubernetes API server exposes a number of metrics that are useful for monitoring and analysis. For more information, see Monitor your cluster metrics with Prometheus.
To configure Fluent Bit for custom Amazon CloudWatch logs, see Setting up Fluent Bit in the Amazon CloudWatch User Guide.
Amazon EKS monitoring and logging tools
Amazon Web Services provides various tools that you can use to monitor Amazon EKS. You can configure some tools to set up automatic monitoring, but some require manual calls. We recommend that you automate monitoring tasks as much as your environment and existing toolset allows.
The following table describes various monitoring tool options.
| Areas | Tool | Description | Setup |
|---|---|---|---|
|
Control plane |
For supported versions, the observability dashboard gives visibility into the performance of your cluster. It helps you to quickly detect, troubleshoot, and remediate issues. |
||
|
Applications / control plane |
Prometheus can be used to monitor metrics and alerts for applications and the control plane. |
||
|
Applications |
CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices. |
||
|
Applications |
ADOT can collect and sends correlated metrics, trace data, and metadata to AWS monitoring services or partners. It can be set up through CloudWatch Container Insights. |
||
|
Applications |
Amazon DevOps Guru detects node-level operational performance and availability. |
||
|
Applications |
AWS X-Ray receives trace data about your application. This trace data includes ingoing and outgoing requests and metadata about the requests. For Amazon EKS, the implementation requires the OpenTelemetry add-on. |
||
|
Applications |
CloudWatch provides some basic Amazon EKS metrics for free on supported versions. You can expand this functionality with the CloudWatch Observability Operator to handle collecting metrics, logs, and trace data. |
The following table describes various logging tool options.
| Areas | Tool | Description | Setup |
|---|---|---|---|
|
Control plane |
For supported versions, the observability dashboard shows lists based on the control plane audit logs. It also includes links to control plane logs in Amazon CloudWatch. |
||
|
Applications |
Amazon CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your containerized applications and microservices. |
||
|
Control plane |
You can send audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. |
||
|
Control plane |
It logs API calls by a user, role, or service. |
||
|
Multiple areas for AWS Fargate instances |
For AWS Fargate instances, the log router streams logs to AWS services or partner tools. It uses AWS for Fluent Bit |
