ROSA Log Forwarding to CloudWatch in a Private Subnet only VPC

Generared by Gemini

Let’s configure the Redhat Openshift on AWS (ROSA) log forwarding to AWS CloudWatch with the AWS Security Token Service (STS).

The environment I have is a VPC without any Public subnets. All the subnets are private , the internet access has to go through the Transit Gateway connected back to the on-premise data center. It does give me some challenges.

Configure Cluster Logging

On the vanilla ROSA, create a namespace called openshift-logging, subscribe the OpenShift Logging operator with the following YAMLs

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  targetNamespaces:
  - openshift-logging
---

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  channel: stable
  name: cluster-logging
  source: redhat-operators
  sourceNamespace: openshift-marketplace

Create the logging CR using the modern logging collection tool vector,

apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
  name: instance
  namespace: openshift-logging
spec:
  collection:
    type: vector
    vector: {}
  managementState: Managed