View a markdown version of this page

Access EKS Capabilities controller logs - Amazon EKS
Supported log typesSetting up log deliveryExample: Querying logs with CloudWatch Logs InsightsViewing your logsPricing

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

Access EKS Capabilities controller logs

EKS Capabilities controllers for ACK, kro, and Argo CD run in AWS-managed infrastructure outside your clusters. You can configure log delivery for these controllers using Amazon CloudWatch Vended Logs, giving you visibility into controller behavior for monitoring and troubleshooting.

Logs are delivered in structured JSON format and include operational fields such as log level, message, controller name, and reconciliation identifiers. Internal AWS metadata is filtered before delivery — you receive only the operational log content relevant to your capability controllers.

Supported log types

Each capability has one or more log types that you can configure independently as CloudWatch Vended Logs delivery sources.

ACK

  • EKS_CAPABILITY_ACK_LOGS

kro

  • EKS_CAPABILITY_KRO_LOGS

Argo CD

  • EKS_CAPABILITY_ARGOCD_APPLICATION_LOGS

  • EKS_CAPABILITY_ARGOCD_APPLICATIONSET_LOGS

  • EKS_CAPABILITY_ARGOCD_COMMITSERVER_LOGS

  • EKS_CAPABILITY_ARGOCD_REPOSERVER_LOGS

  • EKS_CAPABILITY_ARGOCD_SERVER_LOGS

ACK uses a single log type covering all ACK service controllers. Log records include a controllerGroup field (for example, s3.services.k8s.aws, rds.services.k8s.aws) that identifies which ACK service controller generated the log. You can use this field to filter logs for a specific service controller in CloudWatch Logs Insights or other query tools.

Argo CD has five separate log types, one per controller component. This lets you enable logging for only the controllers you need and route them to different destinations.

Setting up log delivery

To configure capability controller log delivery, use the AWS Management Console or the Amazon CloudWatch Logs API. For detailed setup instructions, see Enabling logging from AWS services in the Amazon CloudWatch Logs User Guide. Each capability controller can be configured as an individual CloudWatch Vended Logs delivery source, so you can select which logs to receive.

Console

  1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.

  2. Select your cluster name.

  3. Choose the Capabilities tab, then select your capability.

  4. In the Log delivery section, choose Add.

  5. Select the log type for your capability and choose a destination.

  6. Choose Add to create the delivery.

Using Amazon CloudWatch APIs

Setting up logging requires three steps:

  1. Create a delivery source for the capability using the CloudWatch PutDeliverySource API. Use the capability ARN as the resourceArn and specify the desired log type.

  2. Create a delivery destination using PutDeliveryDestination. Specify the ARN of a CloudWatch log group, S3 bucket, or Amazon Data Firehose delivery stream.

  3. Create a delivery to connect the source and destination using CreateDelivery.

You can retrieve the capability ARN using the describe-capability command:

aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-capability \
  --query 'capability.capabilityArn' --output text

You can configure a single capability (delivery source) to send logs to multiple destinations by creating multiple deliveries. You can also send logs from multiple capabilities to the same destination.

IAM permissions

Depending on the destination selected, you might need to configure IAM policies or roles for the CloudWatch log group, S3 bucket, or Data Firehose delivery stream to ensure successful log delivery. If you’re sending logs across AWS accounts, use the PutDeliveryDestinationPolicy API to configure an IAM policy that allows delivery to the destination. See the CloudWatch Vended Logs permissions documentation for additional information.

Example: Querying logs with CloudWatch Logs Insights

To view error logs across all controllers:

fields @timestamp, controller, message, error
| filter level = "error"
| sort @timestamp desc
| limit 50

For more query examples including filtering by service controller, tracking reconciliation cycles, and Argo CD application filtering, see Use controller logs for troubleshooting.

Viewing your logs

After you configure log delivery, logs are delivered to your specified destination. The method for accessing logs depends on your chosen destination type:

  • CloudWatch Logs — View logs in the CloudWatch Logs console, use AWS CLI commands, or query with CloudWatch Logs Insights.

  • Amazon S3 — Access logs as objects in your S3 bucket through the S3 console, AWS CLI, or analytics tools like Amazon Athena.

  • Amazon Data Firehose — Logs are streamed to your configured Firehose target (such as S3, OpenSearch Service, Redshift, etc).

Pricing

CloudWatch Vended Logs charges apply for log delivery and storage based on your chosen delivery destination. CloudWatch Vended Logs enables reliable, secure log delivery with built-in AWS authentication and authorization at a reduced price compared to standard CloudWatch Logs. See the Vended Logs section of the CloudWatch pricing page for more details.