Troubleshooting logging in GKE


This page shows you how to investigate and resolve GKE logging related issues.

If you need additional assistance, reach out to Cloud Customer Care.

Missing cluster logs in Cloud Logging

Verify logging is enabled in the project

  1. List enabled services:

    gcloud services list --enabled --filter="NAME=logging.googleapis.com"
    

    The following output indicates that logging is enabled for the project:

    NAME                    TITLE
    logging.googleapis.com  Cloud Logging API
    

    Optional: Check the logs in Logs Viewer to determine who disabled the API and when they disabled the API:

    protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.DisableService"
    protoPayload.response.services="logging.googleapis.com"
    
  2. If logging is disabled, enable logging:

    gcloud services enable logging.googleapis.com
    

Verify logging is enabled on the cluster

  1. List the clusters:

    gcloud container clusters list \
        --project=PROJECT_ID \
        '--format=value(name,loggingConfig.componentConfig.enableComponents)' \
        --sort-by=name | column -t
    

    Replace the following:

    • PROJECT_ID: your Google Cloud project ID.

    The output is similar to the following:

    cluster-1              SYSTEM_COMPONENTS
    cluster-2              SYSTEM_COMPONENTS;WORKLOADS
    cluster-3
    

    If the value for your cluster is empty, logging is disabled. For example, cluster-3 in this output has logging disabled.

  2. Enable cluster logging if set to NONE:

    gcloud container clusters update CLUSTER_NAME  \
        --logging=SYSTEM,WORKLOAD \
        --location=COMPUTE_LOCATION
    

    Replace the following:

Verify nodes in the node pools have Cloud Logging access scope

One of the following scopes is required for nodes to write logs to Cloud Logging:

  • https://www.googleapis.com/auth/logging.write
  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/logging.admin
  1. Check the scopes configured on each node pool in the cluster:

    gcloud container node-pools list --cluster=CLUSTER_NAME \
        --format="table(name,config.oauthScopes)" \
        --location COMPUTE_LOCATION
    

    Replace the following:

    Migrate your workloads from the old node pool to the newly created node pool and monitor the progress.

  2. Create new node pools with the correct logging scope:

    gcloud container node-pools create NODE_POOL_NAME \
        --cluster=CLUSTER_NAME \
        --location=COMPUTE_LOCATION \
        --scopes="gke-default"
    

    Replace the following:

Verify the node pool's service account has a role with the correct IAM permissions

The service account must have a role which contains the permission logging.logEntries.create to create logs.

  1. Find the service account for each node pool:

    gcloud container node-pools list \
        --cluster=CLUSTER_NAME \
        --format="table(name,config.serviceAccount)" \
        --location=COMPUTE_LOCATION
    

    Replace the following:

    The output is similar to the following:

    NAME          SERVICE_ACCOUNT
    default-pool  [email protected]
    

    If the node pool is using the default Compute Engine service account, you can describe it using the following command. As a best practice, use a minimally-privileged custom service account for your node pools. The default Compute Engine service account contains more than the minimum permissions needed to run your clusters.

    gcloud compute project-info describe --format="table(defaultServiceAccount)"
    
  2. Verify IAM roles have sufficient permissions.

    View the permissions contained in roles that are granted to a specific service account:

    gcloud projects get-iam-policy PROJECT_ID \
        --flatten="bindings[]" \
        --filter="bindings.members=serviceAccount:SERVICE_ACCOUNT" \
        --format="table[box](bindings.role)"
    
  3. Grant a role that contains the logging.logEntries.create permission to the service account. You can use a predefined role or create a custom role.

Verify that Cloud Logging write API quotas have not been reached

Confirm that you have not reached API write quotas for Cloud Logging.

  1. Go to the Quotas page in the Google Cloud console.

    Go to Quotas

  2. Filter the table by "Cloud Logging API".

  3. Confirm that you have not reached any of the quotas.

Debugging GKE logging issues with gcpdiag

If you are missing or getting incomplete logs from your GKE cluster, use the gcpdiag tool for troubleshooting.

gcpdiag is an open-source tool that can help identify and fix problems with Google Cloud projects. gcpdiag is not an officially supported Google Cloud product. For more information, see the gcpdiag project on GitHub.

When logs from the GKE cluster are missing or incomplete, investigate potential causes by focusing on the following core configuration settings that are essential for proper logging functions:

  • Project-Level Logging: Ensures that the Google Cloud project housing the GKE cluster has the Cloud Logging API enabled.
  • Cluster-Level Logging: Verifies that logging is explicitly enabled within the configuration of the GKE cluster.
  • Node Pool Permissions: Confirms that the nodes within the cluster's node pools have the 'Cloud Logging Write' scope enabled, allowing them to send log data.
  • Service Account Permissions: Validates that the service account used by the node pools possesses the necessary IAM permissions to interact with Cloud Logging. Specifically, the 'roles/logging.logWriter' role is typically required.
  • Cloud Logging API Write Quotas: Verifies that Cloud Logging API Write quotas have not been exceeded within the specified timeframe.

Cloud Shell

  1. Copy and run the following command in Cloud Shell:
    gcpdiag runbook gke/logs --project=PROJECT_ID 
    --parameter name=GKE_NAME
    --parameter location=LOCATION

Google Cloud console

  1. Copy the following command:
  2. gcpdiag runbook gke/logs --project=PROJECT_ID 
    --parameter name=GKE_NAME
    --parameter location=LOCATION
  3. Open the Google Cloud console and activate Cloud Shell:
  4. Open Cloud console
  5. Paste the copied command.
  6. Run the gcpdiag command. This will download the gcpdiag docker image and start running the relevant checks for this command. Follow instructions on how to fix failed checks.

Docker

You can run gcpdiag using a wrapper that starts gcpdiag in a Docker container. This works on any machine with Docker or Podman installed.

  1. Copy and run the following command in your local workstation:
    curl https://gcpdiag.dev/gcpdiag.sh >gcpdiag && chmod +x gcpdiag
  2. Execute the gcpdiag command:
    ./gcpdiag runbook gke/logs --project=PROJECT_ID 
    --parameter name=GKE_NAME
    --parameter location=LOCATION

View all available parameters for this runbook.

Replace the following:

  • PROJECT_ID: The ID of the project containing the resource.
  • GKE_NAME: The name of the GKE cluster.
  • LOCATION: The zone or region of the GKE cluster.

Useful flags:

  • --project: to define the PROJECT_ID.
  • --universe-domain: if applicable, used to define the Trusted Partner Sovereign Cloud domain hosting the resource.
  • --parameter or -p: to define parameters for a runbook.

For more information on available flags, see the Usage instructions for gcpdiag.

What's next

If you need additional assistance, reach out to Cloud Customer Care.