apiVersion: v1 kind: ConfigMap metadata: name: lua-severity labels: app.kubernetes.io/component: operator app.kubernetes.io/name: fluent-bit-lua-severity namespace: fluent-operator annotations: pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z" pallet.edge.ncr.com/name: fluentbit-restrictions pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-logging' pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a data: severity.lua: |- local severity_hierarchy = { ["debug"] = 1, ["info"] = 2, ["notice"] = 3, ["warn"] = 4, ["warning"] = 4, ["error"] = 5, ["critical"] = 6, ["alert"] = 7, ["emergency"] = 8, } -- containers that should allow all log levels to be processed local critical_containers = { -- example: -- ["kube-apiserver"] = true, -- ["another-container"] = true, } -- namespaces that should allow all log levels to be processed local critical_namespaces = { -- example: -- ["kube-system"] = true, -- ["another-namespace"] = true, } local function get_allowed_severity(record) local k8s_data = record["kubernetes"] local severity_allowed = {} local min_level = 5 -- allow "error" and above by default if k8s_data then if (k8s_data["container_name"] and critical_containers[k8s_data["container_name"]]) or (k8s_data["namespace_name"] and critical_namespaces[k8s_data["namespace_name"]]) then -- always allow logs from critical containers or anything from critical namepaces return nil end if k8s_data["annotations"] then -- allow logs that contain the value of the "logging.edge.ncr.com/auditkey" annotation as part of their log message -- typically this would be used for containers that need to send INFO level audit logs up to the cloud local audit_key = k8s_data["annotations"]["logging.edge.ncr.com/auditkey"] if audit_key and record[audit_key] then return nil end local log_level = k8s_data["annotations"]["logging.edge.ncr.com/level"] if log_level and severity_hierarchy[log_level] then min_level = severity_hierarchy[log_level] end end end for severity, level in pairs(severity_hierarchy) do if level >= min_level then severity_allowed[severity] = true end end return severity_allowed end --[[ - return codes : -1 record must be deleted 0 record not modified, keep the original 1 record was modified, replace timestamp and record 2 record was modified, replace record and keep timestamp ]] function process_logs(tag, timestamp, record) local level = record["severity"] if level == nil or level == '' then level = "info" else level = string.lower(level) end local severity_allowed = get_allowed_severity(record) if severity_allowed == nil or severity_allowed[level] then return 0, timestamp, record else return -1, timestamp, record end end --- apiVersion: fluentbit.fluent.io/v1alpha2 kind: ClusterFilter metadata: name: zzz-k8s-container-restrict labels: fluentbit.fluent.io/enabled: "true" namespace: fluent-operator annotations: pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z" pallet.edge.ncr.com/name: fluentbit-restrictions pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-logging' pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a spec: filters: - lua: alias: lua-severity call: process_logs script: name: lua-severity key: severity.lua match: "k8s_container.*"