Logging extensions file tailer webhook 🔗︎

Introduction 🔗︎

Another way to keep your custom file’s content tailed aside of host file tailer service, to configure and use the file tailer webhook service. While the containers of the host file tailers run in a separated pod, file tailer webhook uses a different approach, it injects a sidecar container for every tailed file into your pod, triggered by a simple pod annotation.

Installation 🔗︎

The only thing you need is to provide valid TLS certificates to the file tailer webhook.

There are three possible ways to do this:

  • install cert-manager with one-eye
  • use your own cert-manager service
  • provide valid secrets and ca bundle by your own

Install with cert-manager: 🔗︎

One-eye offers a cert-manager installation. The cert-manager is a powerful tool, so we strongly recommend to use it.

First install cert-manager:

one-eye-cli cert-manager install

Then you can install the webhook support:

one-eye-cli tailer-webhook install


  • When there is a cert-manager on your cluster already, you can skip the cert-manager installation step, and you can use the existing one.
  • If there is no existing cert-manager on your cluster, and there won’t be secret and cabundle parameters provided, the install will fail.

Provide your own secrets: 🔗︎

When you have your own certifications set up, you can pass them to the installer to configure file tailer webhook to use them. In this case there is no need to use cert-manager. The required arguments are the following:

one-eye-cli tailer-webhook install --webhook-secret <secret name> --webhook-cabundle <CA bundle>
  1. Let’s assume you have your own certs generated in /tmp

  2. Make your own secret with your serving certs

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
  name: "my-own-certs"
  namespace: ${namespace}
  tls.crt: $(cat /tmp/tls.crt | base64)
  tls.key: $(cat /tmp/tls.key | base64)
type: kubernetes.io/tls
  1. Install logging with your secret name and rootCA information provided
one-eye-cli tailer-webhook install --namespace ${namespace} --webhook-secret "my-own-certs" --webhook-cabundle "$(cat /tmp/rootCA.pem)"


  • Certs must allow one-eye-tailer-webhook, one-eye-tailer-webhook.namespace, one-eye-tailer-webhook.namespace.svc.

Triggering the webhook 🔗︎

File tailer webhook is based on a Mutating Admission Webhook which gets called every time, when a pod starts, and will be triggered when a pod specification contains annotation with the key:

  • sidecar.logging-extensions.banzaicloud.io/tail.
apiVersion: v1
kind: Pod
    name: test-pod
    annotations: {"sidecar.logging-extensions.banzaicloud.io/tail": "/var/log/date"}
    - image: debian
        name: sample-container
        command: ["/bin/sh", "-c"]
            - while true; do
                date >> /var/log/date;
                sleep 1;
    - image: debian
        name: sample-container2

About the File Tailer Webhook annotation 🔗︎

The basic format of a file tailer webhook annotation is the following:

Key sidecar.logging-extensions.banzaicloud.io/tail
Value Files to be tailed separated by commas
    name: test-pod
    annotations: {"sidecar.logging-extensions.banzaicloud.io/tail": "/var/log/date,/var/log/mycustomfile"}

Mutli-container pods 🔗︎

In some cases you have multiple containers in your pod and you want to distinguish which file annotation belongs to which container. You can order every file annotations to particular container by prefixing the annotation with a ${ContainerName}: container key.

    name: test-pod
    annotations: {"sidecar.logging-extensions.banzaicloud.io/tail": "sample-container:/var/log/date,sample-container2:/var/log/anotherfile,/var/log/mycustomfile,foobarbaz:/foo/bar/baz"}
Annotation Explanation
sample-container:/var/log/date tails file /var/log/date in sample-container
sample-container2:/var/log/anotherfile tails file /var/log/anotherfile in sample-container2
/var/log/mycustomfile tails file /var/log/mycustomfile in default container (sample-container)
foobarbaz:/foo/bar/baz will be discarded due to non-existing container name


  • Annotations without containername prefix: the file gets tailed on the default container (container 0)
  • Annotations with invalid containername: file tailer annotation gets discarded