https://ferkakta.dev/tags/logging/Recent content in Logging on ferkakta.devHugoen-USCopyright fizz.Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/<h2 id="the-starting-assumption">The starting assumption</h2> <p>I&rsquo;m building <a href="https://ramparts.dev">ramparts</a>, a multi-tenant compliance platform running on EKS. Each tenant gets a Kubernetes namespace &ndash; <code>tenant-acme</code>, <code>tenant-globex</code>, whatever &ndash; and the compliance controls require that their application logs land in isolated storage with 365-day retention. CMMC maps this to AU-2 (audit events), AU-3 (audit content), AU-11 (retention), and AC-4 (information flow isolation). A tenant cannot read another tenant&rsquo;s container output.</p> <p>The obvious first move was <code>aws-for-fluent-bit</code>, AWS&rsquo;s own Helm chart and container image for shipping logs to CloudWatch. AWS service, AWS chart, AWS logging destination. The blessed path.</p>https://ferkakta.dev/why-we-removed-aws-for-fluent-bit-from-eks/Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/why-we-removed-aws-for-fluent-bit-from-eks/<p>We deployed <code>aws-for-fluent-bit</code> because AWS recommends it.</p> <p>If you follow the EKS logging documentation, that&rsquo;s the default path. It assumes you use AWS&rsquo;s distribution of Fluent Bit rather than the upstream Helm chart.</p> <p>We did.</p> <p>Two days later, we ripped it out.</p> <p>The AWS chart and the upstream chart are not the same thing. The differences aren&rsquo;t cosmetic. They affect how quickly you receive security patches, how transparently your configuration maps to the underlying plugin, and how many boundaries sit between your logs and the CloudWatch API.</p>