S3 Cold Storage Integration
Overview
KubeSense supports configuring retention periods for traces and metrics, with the ability to move data to cold storage (S3) after a specified duration. In AWS EKS environments, you can integrate S3 cold storage in two ways:
- Using AWS access and secret keys
- Using AWS IAM Role with Service Account
info: S3 integration enables efficient long-term storage of historical observability data while keeping your active storage optimized.
Prerequisites
Before setting up S3 integration, ensure you have:
- KubeSense deployed on AWS EKS
- An AWS S3 bucket created for cold storage
- Appropriate AWS IAM permissions for S3 access
- Access to modify the KubeSense Helm values
Method 1: Using AWS IAM Role (Recommended)
Using AWS IAM roles with Kubernetes Service Accounts is the recommended approach as it eliminates the need to manage credentials and provides better security through IAM integration.
Step 1: Get EKS OIDC Provider URL
- Go to your EKS cluster in AWS Console
- Copy the OpenID Connect (OIDC) provider URL (found in cluster details)
warning: If you don't see an OIDC provider, you'll need to create one. This is required for IAM role-based authentication.
Step 2: Create IAM OIDC Provider (if not exists)
If there's no IAM OIDC provider for your cluster:
- Go to IAM → Identity providers → Add provider
- Choose OpenID Connect as provider type
- Enter the EKS OIDC URL into Provider URL
- Click Get Thumbprint
- Enter
sts.amazonaws.comas Audience - Click Add provider
Step 3: Create S3 Bucket
Create an S3 bucket for KubeSense cold storage:
- Go to S3 Console → Create bucket
- Choose a bucket name (e.g.,
kubesense-cold-storage) - Select your preferred region
- Configure bucket settings and permissions as needed
- Create the bucket
Step 4: Create IAM Policy for S3 Access
Create an IAM policy that allows access to your S3 bucket. Replace kubesense-cold-storage with your actual bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::kubesense-cold-storage",
"arn:aws:s3:::kubesense-cold-storage/*"
]
}
]
}Step 5: Create IAM Role for KubeSense
- Go to IAM → Roles → Create role
- Select Web identity as trusted entity type
- Choose the OIDC provider you created earlier
- Select
sts.amazonaws.comas audience - Attach the S3 policy created in Step 4
- Name the role (e.g.,
kubesense-s3-role) - Create the role
Step 6: Update KubeSense Configuration
Add the cold storage configuration to your KubeSense Helm values:
coldStorageConfig:
enabled: true
endpoint: https://kubesense-cold-storage.s3.us-east-2.amazonaws.com/data/
enableServiceAccountAuth: true
cloudProvider: "aws"note: Replace kubesense-cold-storage and us-east-2 with your actual bucket name and region. The endpoint format should be: https://<bucket-name>.s3.<region>.amazonaws.com/<folder>/
Step 7: Annotate KubeSense Service Account
You need to associate the IAM role with KubeSense's ClickHouse service account. Create or update the service account with the IAM role annotation:
apiVersion: v1
kind: ServiceAccount
metadata:
name: clickhouse-instance
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::YOUR_ACCOUNT_ID:role/kubesense-s3-roleReplace YOUR_ACCOUNT_ID with your actual AWS account ID.
Step 8: Upgrade KubeSense
Apply the configuration by upgrading your KubeSense Helm deployment:
helm upgrade kubesense ./kubesense-chart \
-f values.yaml \
--namespace kubesenseMethod 2: Using AWS Access and Secret Keys
For environments where IAM roles aren't available or preferred, you can use AWS access keys.
Step 1: Create IAM User with S3 Access
- Go to IAM → Users → Create user
- Name the user (e.g.,
kubesense-s3-user) - Attach a policy with S3 permissions (use the same policy from Method 1, Step 4)
- Create the user
Step 2: Generate Access Keys
- Click on the created user
- Go to Security credentials tab
- Click Create access key
- Choose Application running outside AWS as use case
- Download or copy the access key ID and secret access key
warning: Store these credentials securely and never commit them to version control.
Step 3: Update KubeSense Configuration
Add the cold storage configuration with access keys:
coldStorageConfig:
enabled: true
endpoint: https://kubesense-cold-storage.s3.us-east-2.amazonaws.com/data/
accessKeyID: YOUR_ACCESS_KEY_ID
secretAccessKey: YOUR_SECRET_ACCESS_KEY
cloudProvider: "aws"Replace:
YOUR_ACCESS_KEY_IDwith your AWS access key IDYOUR_SECRET_ACCESS_KEYwith your AWS secret access keykubesense-cold-storageandus-east-2with your bucket name and region
Step 4: Upgrade KubeSense
Apply the configuration:
helm upgrade kubesense ./kubesense-chart \
-f values.yaml \
--namespace kubesenseConfiguration Parameters
Here's a detailed breakdown of the cold storage configuration:
| Parameter | Type | Required | Description |
|---|---|---|---|
enabled | boolean | Yes | Enable or disable cold storage |
endpoint | string | Yes | S3 bucket endpoint URL |
cloudProvider | string | Yes | Cloud provider (e.g., "aws") |
enableServiceAccountAuth | boolean | No | Use IAM role authentication (Method 1) |
accessKeyID | string | Conditional* | AWS access key ID |
secretAccessKey | string | Conditional* | AWS secret access key |
*Required only when enableServiceAccountAuth is false
Verifying Integration
After configuring S3 integration:
-
Check KubeSense logs to ensure S3 connection is successful:
kubectl logs -n kubesense deployment/clickhouse-instance -f -
Verify data is being written to S3:
- Check your S3 bucket for backup files
- Monitor the configured retention period
-
Test cold storage functionality:
- Query historical data that should be in cold storage
- Verify data is accessible through KubeSense UI
Best Practices
- Security: Prefer IAM roles (Method 1) over access keys for better security
- Network: Ensure KubeSense pods have proper network access to S3 endpoints
- Monitoring: Set up S3 bucket lifecycle policies to manage old backups
- Testing: Test data retrieval from cold storage regularly
- Documentation: Document your bucket names and IAM roles for your team
Troubleshooting
Issue: Cold storage not working
Solution: Check service account annotations and IAM role ARN format:
kubectl describe serviceaccount clickhouse-instance -n kubesenseIssue: Permission denied errors
Solution: Verify the IAM policy includes all required S3 permissions and the role is correctly attached to the service account.
Issue: Unable to access S3 endpoint
Solution: Verify network connectivity and ensure the S3 endpoint URL is correctly formatted.
Conclusion
S3 integration provides a cost-effective solution for storing historical observability data while maintaining performance for recent data queries. Choose the authentication method that best fits your security requirements and infrastructure setup.