Fluent Bit for Amazon EKS on AWS Fargate Setup
This guide provides clear steps to configure Fluent Bit for logging in an Amazon EKS cluster running on AWS Fargate.
Prerequisites
- AWS CLI configured with necessary permissions
-
kubectlset up to access your EKS cluster
Step 1: Deploy the EKS Cluster
Before setting up Fluent Bit, create an EKS cluster with Fargate support using eksctl.
Create a file called eks-cluster-config.yaml:
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: fluentbit-cluster
region: ap-southeast-1
version: "1.32"
fargateProfiles:
- name: default
selectors:
- namespace: demo
- namespace: aws-observabilityThen deploy the cluster:
eksctl create cluster --config-file eks-cluster-config.yaml⚠️ This may take several minutes. Once complete,
kubectlwill automatically be configured to use the new cluster.
Step 2: Create Fluent Bit Configuration
Create a file called fluentbit-config.yaml with the following content:
kind: Namespace
apiVersion: v1
metadata:
name: aws-observability
labels:
aws-observability: enabled
---
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-logging
namespace: aws-observability
labels:
app.kubernetes.io/name: fluent-bit
k8s-app: fluent-bit
component: logging
tier: node
release: fluentbit
annotations:
fluentbit.io/exclude: "false"
data:
output.conf: |
[OUTPUT]
Name cloudwatch_logs
Match *
region ap-southeast-1
log_group_name fluent-bit-cloudwatch
log_stream_prefix from-fluent-bit-
auto_create_group true⚠️ Important: Be sure to use
true(lowercase) forauto_create_group, or the configuration will be rejected by Fargate’s admission webhook.
Apply the configuration:
kubectl apply -f fluentbit-config.yamlConfirm the ConfigMap was created:
kubectl -n aws-observability get configmap aws-logging -o yamlStep 3: Set Up IAM Permissions
Download the required IAM policy:
curl -o permissions.json \
https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.jsonCreate the IAM policy:
aws iam create-policy \
--policy-name FluentBitEKSFargate \
--policy-document file://permissions.jsonAttach the policy to your Fargate pod execution role:
aws iam attach-role-policy \
--policy-arn arn:aws:iam:::policy/FluentBitEKSFargate \
--role-name eksctl-fluentbit-cluster-FargatePodExecutionRole-XXXXXXXXXXReplace:
-
-
eksctl-fluentbit-cluster-FargatePodExecutionRole-XXXXXXXXXXwith your actual Fargate pod execution role
Step 4: Deploy Test Application
Create a file called logger-server.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: logger-server
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: main
image: nginx:1.14.2
ports:
- containerPort: 80Deploy the test application:
kubectl create namespace demoCreates a separate namespace for your test workload.
kubectl -n demo apply -f logger-server.yamlApplies the deployment configuration.
kubectl -n demo expose deploy logger-serverExposes the deployment as a service within the demo namespace.
Step 5: Verify Logging
📌 Make sure Fluent Bit is deployed and running in
aws-observabilitybefore proceeding:
kubectl get pods -n aws-observabilityYou should see a fluent-bit pod with STATUS as Running.
1. Forward the service locally
⚠️ If the pod is still
Pending, wait before forwarding.
kubectl get pods -n demoThen:
kubectl -n demo port-forward svc/logger-server 8080:80💡 Tip: Open a new terminal session for other steps while this command is running.
2. Stream logs
kubectl -n demo logs deploy/logger-server -f💡 Tip: Use another terminal session for log streaming while port-forwarding is active.
3. Send requests
curl localhost:8080Step 6: Check CloudWatch Logs
Logs are available in CloudWatch under the group:
fluent-bit-cloudwatchCheck available log groups:
aws logs describe-log-groups --region ap-southeast-1Example output:
{
"logGroups": [
{
"logGroupName": "/aws/eks/fluentbit/cluster",
"creationTime": 1746219458104,
"arn": "arn:aws:logs:ap-southeast-1:xxxxxxxxxx:log-group:/aws/eks/fluentbit/cluster:*"
},
{
"logGroupName": "fluent-bit-cloudwatch",
"creationTime": 1746222769503,
"arn": "arn:aws:logs:ap-southeast-1:xxxxxxxxxx:log-group:fluent-bit-cloudwatch:*"
}
]
}List log streams:
aws logs describe-log-streams --log-group-name fluent-bit-cloudwatch --region ap-southeast-1Example output:
{
"logStreams": [
{
"logStreamName": "from-fluent-bit-kube.var.log.containers.logger-server-...",
"creationTime": 1746222769529,
"firstEventTimestamp": 1746222769404
}
]
}Step 7: Resource Considerations
- Allocate 50MB–100MB additional memory for the Fargate log router.
- Consider CloudWatch ingestion and retention costs.
Step 8: Supported Kubernetes Versions
Tested on Kubernetes v1.32. May work on other versions as well.
Step 9: Cleanup
1. Delete namespaces (this also deletes all pods inside automatically)
kubectl delete namespace demoRemoves the test application namespace.
kubectl delete namespace aws-observabilityRemoves Fluent Bit and its configuration.
2. Detach and delete IAM policy
aws iam detach-role-policy \
--role-name eksctl-fluentbit-cluster-FargatePodExecutionRole-XXXXXXXXXX \
--policy-arn arn:aws:iam:::policy/FluentBitEKSFargateDetaches the Fluent Bit policy.
aws iam delete-policy \
--policy-arn arn:aws:iam:::policy/FluentBitEKSFargateDeletes the policy itself.
3. Delete the EKS cluster
eksctl delete cluster --config-file eks-cluster-config.yamlRemoves the entire EKS cluster created during setup.
Reference
Based on: https://aws.amazon.com/blogs/containers/fluent-bit-for-amazon-eks-on-aws-fargate-is-here/
You can also find the same guide with Terraform and work files in this GitHub repository: https://github.com/jdevto/eks-fargate-fluentbit-demo
