diff --git a/cluster/addons/fluentd-elasticsearch/README.md b/cluster/addons/fluentd-elasticsearch/README.md
index 065bc6dd750..59cc5ddfe99 100644
--- a/cluster/addons/fluentd-elasticsearch/README.md
+++ b/cluster/addons/fluentd-elasticsearch/README.md
@@ -1,45 +1,82 @@
 # Elasticsearch Add-On
-This add-on consists of a combination of
-[Elasticsearch](https://www.elastic.co/products/elasticsearch), [Fluentd](http://www.fluentd.org/)
-and [Kibana](https://www.elastic.co/products/elasticsearch). Elasticsearch is a search engine
-that is responsible for storing our logs and allowing for them to be queried. Fluentd sends
-log messages from Kubernetes to Elasticsearch, whereas Kibana is a graphical interface for
-viewing and querying the logs stored in Elasticsearch.
+
+This add-on consists of a combination of [Elasticsearch][elasticsearch],
+[Fluentd][fluentd] and [Kibana][kibana]. Elasticsearch is a search engine
+that is responsible for storing our logs and allowing for them to be queried.
+Fluentd sends log messages from Kubernetes to Elasticsearch, whereas Kibana
+is a graphical interface for viewing and querying the logs stored in
+Elasticsearch.
+
+**Note:** this addon should **not** be used as-is in production. This is
+an example and you should treat is as such. Please see at least the
+[Security](#security) and the [Storage](#storage) sections for more
+information.
 
 ## Elasticsearch
-Elasticsearch is deployed as a
-[StatefulSet](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/), which
-is like a Deployment, but allows for maintaining state on storage volumes. 
 
-### Authentication
-Elasticsearch has basic authentication enabled by default, in our configuration the credentials
-are at their default values, i.e. username 'elastic' and password 'changeme'. In order to change
-them, please read up on [the official documentation](https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#reset-built-in-user-passwords).
+Elasticsearch is deployed as a [StatefulSet][statefulSet], which is like
+a Deployment, but allows for maintaining state on storage volumes. 
+
+### Security
+
+Elasticsearch has capabilities to enable authorization using
+[X-Pack plugin][xPack]. See configuration parameter `xpack.security.enabled`
+in Elasticsearch and Kibana configurations. It can also be set via
+`XPACK_SECURITY_ENABLED` env variable. After enabling the feature,
+follow [official documentation][setupCreds] to set up credentials in
+Elasticsearch and Kibana. Don't forget to propagate those credentials also to
+Fluentd in its [configuration][fluentdCreds], using for example
+[environment variables][fluentdEnvVar]. You can utilize [ConfigMaps][configMap]
+and [Secrets][secret] to store credentials in the Kubernetes apiserver.
 
 ### Initialization
+
 The Elasticsearch Statefulset manifest specifies that there shall be an
-[init container](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) executing
-before Elasticsearch containers themselves, in order to ensure that the kernel state variable
-`vm.max_map_count` is at least 262144, since this is a requirement of Elasticsearch.
-You may remove the init container if you know that your host OS meets this requirement.
+[init container][initContainer] executing before Elasticsearch containers
+themselves, in order to ensure that the kernel state variable
+`vm.max_map_count` is at least 262144, since this is a requirement of
+Elasticsearch. You may remove the init container if you know that your host
+OS meets this requirement.
 
 ### Storage
-The Elasticsearch StatefulSet will claim a storage volume 'elasticsearch-logging',
-of the standard
-[StorageClass](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#storageclasses),
-that by default will be 100 Gi per replica. Please adjust this to your needs (including
-possibly choosing a more suitable StorageClass).
+
+The Elasticsearch StatefulSet will use the [EmptyDir][emptyDir] volume to
+store data. EmptyDir is erased when the pod terminates, here it is used only
+for testing purposes. **Important:** please change the storage to persistent
+volume claim before actually using this StatefulSet in your setup!
 
 ## Fluentd
-Fluentd is deployed as a
-[DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) which spawns a
-pod on each node that reads logs, generated by kubelet, container runtime and containers and
-sends them to Elasticsearch.
 
-*Please note that for Fluentd to work, every Kubernetes node must be labeled*
-`beta.kubernetes.io/fluentd-ds-ready=true`, as otherwise Fluentd will ignore them.
+Fluentd is deployed as a [DaemonSet][daemonSet] which spawns a pod on each
+node that reads logs, generated by kubelet, container runtime and containers
+and sends them to Elasticsearch.
 
-Learn more at: https://kubernetes.io/docs/tasks/debug-application-cluster/logging-elasticsearch-kibana
+**Note:** in order for Fluentd to work, every Kubernetes node must be labeled
+with `beta.kubernetes.io/fluentd-ds-ready=true`, as otherwise the Fluentd
+DaemonSet will ignore them.
+
+Learn more in the [official Kubernetes documentation][k8sElasticsearchDocs].
+
+### Known problems
+
+Since Fluentd talks to the Elasticsearch service inside the cluster, instances
+on masters won't work, because masters have no kube-proxy. Don't mark masters
+with a label mentioned in the previous paragraph or add a taint on them to
+avoid Fluentd pods scheduling there.
+
+[fluentd]: http://www.fluentd.org/
+[elasticsearch]: https://www.elastic.co/products/elasticsearch
+[kibana]: https://www.elastic.co/products/kibana
+[xPack]: https://www.elastic.co/products/x-pack
+[setupCreds]: https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#reset-built-in-user-passwords
+[fluentdCreds]: https://github.com/uken/fluent-plugin-elasticsearch#user-password-path-scheme-ssl_verify
+[fluentdEnvVar]: https://docs.fluentd.org/v0.12/articles/faq#how-can-i-use-environment-variables-to-configure-parameters-dynamically
+[configMap]: https://kubernetes.io/docs/tasks/configure-pod-container/configmap/
+[secret]: https://kubernetes.io/docs/concepts/configuration/secret/
+[statefulSet]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset
+[initContainer]: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+[emptyDir]: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+[daemonSet]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+[k8sElasticsearchDocs]: https://kubernetes.io/docs/tasks/debug-application-cluster/logging-elasticsearch-kibana
 
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/fluentd-elasticsearch/README.md?pixel)]()
-
diff --git a/cluster/addons/fluentd-elasticsearch/env-configmap.yaml b/cluster/addons/fluentd-elasticsearch/env-configmap.yaml
deleted file mode 100644
index 0ab1075fc85..00000000000
--- a/cluster/addons/fluentd-elasticsearch/env-configmap.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: environment
-  namespace: kube-system
-data:
-  elasticsearch-user: elastic
diff --git a/cluster/addons/fluentd-elasticsearch/env-secret.yaml b/cluster/addons/fluentd-elasticsearch/env-secret.yaml
deleted file mode 100644
index 9e045135463..00000000000
--- a/cluster/addons/fluentd-elasticsearch/env-secret.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: environment
-  namespace: kube-system
-type: Opaque
-data:
-  elasticsearch-password: Y2hhbmdlbWU=
diff --git a/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml b/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml
deleted file mode 100644
index e77f51cd2d2..00000000000
--- a/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: elasticsearch-logging
-  labels:
-    k8s-app: elasticsearch-logging
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - "services"
-  - "namespaces"
-  - "endpoints"
-  verbs:
-  - "get"
diff --git a/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml b/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml
deleted file mode 100644
index ee3847bb814..00000000000
--- a/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  namespace: kube-system
-  name: elasticsearch-logging
-  labels:
-    k8s-app: elasticsearch-logging
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-subjects:
-- kind: ServiceAccount
-  name: elasticsearch-logging
-  namespace: kube-system
-  apiGroup: ""
-roleRef:
-  kind: ClusterRole
-  name: elasticsearch-logging
-  apiGroup: ""
diff --git a/cluster/addons/fluentd-elasticsearch/es-image/Dockerfile b/cluster/addons/fluentd-elasticsearch/es-image/Dockerfile
index a9f2c56cffc..28e3c96d3d3 100644
--- a/cluster/addons/fluentd-elasticsearch/es-image/Dockerfile
+++ b/cluster/addons/fluentd-elasticsearch/es-image/Dockerfile
@@ -14,22 +14,12 @@
 
 FROM docker.elastic.co/elasticsearch/elasticsearch:5.5.1
 
-USER root
-
-RUN mkdir /data
-RUN chown -R elasticsearch:elasticsearch /data
-
-WORKDIR /usr/share/elasticsearch
-
 VOLUME ["/data"]
 EXPOSE 9200 9300
 
-USER elasticsearch
-COPY elasticsearch_logging_discovery bin/
-COPY config/elasticsearch.yml config/
-COPY config/log4j2.properties config/
-COPY run.sh bin/
+COPY elasticsearch_logging_discovery run.sh bin/
+COPY config/elasticsearch.yml config/log4j2.properties config/
 
 USER root
-RUN chown -R elasticsearch:elasticsearch config
+RUN chown -R elasticsearch:elasticsearch ./
 CMD ["bin/run.sh"]
diff --git a/cluster/addons/fluentd-elasticsearch/es-image/Makefile b/cluster/addons/fluentd-elasticsearch/es-image/Makefile
index 753d09f6cd0..32d2c46ddf5 100755
--- a/cluster/addons/fluentd-elasticsearch/es-image/Makefile
+++ b/cluster/addons/fluentd-elasticsearch/es-image/Makefile
@@ -12,19 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-.PHONY:	elasticsearch_logging_discovery build push
+.PHONY:	binary build push
 
-# The current value of the tag to be used for building and
-# pushing an image to gcr.io
-TAG = v5.5.1
+PREFIX = gcr.io/google-containers
+IMAGE = elasticsearch
+TAG = v5.5.1-1
 
-build:	elasticsearch_logging_discovery
-	docker build --pull -t gcr.io/google_containers/elasticsearch:$(TAG) .
+build:
+	docker build --pull -t $(PREFIX)/$(IMAGE):$(TAG) .
 
 push:
-	gcloud docker -- push gcr.io/google_containers/elasticsearch:$(TAG)
+	gcloud docker -- push $(PREFIX)/$(IMAGE):$(TAG)
 
-elasticsearch_logging_discovery:
+binary:
 	CGO_ENABLED=0 GOOS=linux go build -a -ldflags "-w" elasticsearch_logging_discovery.go
 
 clean:
diff --git a/cluster/addons/fluentd-elasticsearch/es-image/config/elasticsearch.yml b/cluster/addons/fluentd-elasticsearch/es-image/config/elasticsearch.yml
index f4ffee74a7f..23c59c53b79 100644
--- a/cluster/addons/fluentd-elasticsearch/es-image/config/elasticsearch.yml
+++ b/cluster/addons/fluentd-elasticsearch/es-image/config/elasticsearch.yml
@@ -12,3 +12,6 @@ path.data: /data
 network.host: 0.0.0.0
 
 discovery.zen.minimum_master_nodes: ${MINIMUM_MASTER_NODES}
+
+xpack.security.enabled: false
+xpack.monitoring.enabled: false
diff --git a/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml b/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml
deleted file mode 100644
index 6f4ede424e1..00000000000
--- a/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: elasticsearch-logging
-  namespace: kube-system
-  labels:
-    k8s-app: elasticsearch-logging
-    version: v1
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
diff --git a/cluster/addons/fluentd-elasticsearch/es-statefulset.yaml b/cluster/addons/fluentd-elasticsearch/es-statefulset.yaml
index 85256106794..43505ea476e 100644
--- a/cluster/addons/fluentd-elasticsearch/es-statefulset.yaml
+++ b/cluster/addons/fluentd-elasticsearch/es-statefulset.yaml
@@ -1,11 +1,60 @@
-apiVersion: apps/v1beta1
-kind: StatefulSet
+# RBAC authn and authz
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  name: elasticsearch-logging-v1
+  name: elasticsearch-logging
   namespace: kube-system
   labels:
     k8s-app: elasticsearch-logging
-    version: v1
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: elasticsearch-logging
+  labels:
+    k8s-app: elasticsearch-logging
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  - "namespaces"
+  - "endpoints"
+  verbs:
+  - "get"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  namespace: kube-system
+  name: elasticsearch-logging
+  labels:
+    k8s-app: elasticsearch-logging
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+- kind: ServiceAccount
+  name: elasticsearch-logging
+  namespace: kube-system
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: elasticsearch-logging
+  apiGroup: ""
+---
+# Elasticsearch deployment itself
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+  name: elasticsearch-logging
+  namespace: kube-system
+  labels:
+    k8s-app: elasticsearch-logging
+    version: v5.5.1
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
 spec:
@@ -14,17 +63,17 @@ spec:
   selector:
     matchLabels:
       k8s-app: elasticsearch-logging
-      version: v1
+      version: v5.5.1
   template:
     metadata:
       labels:
         k8s-app: elasticsearch-logging
-        version: v1
+        version: v5.5.1
         kubernetes.io/cluster-service: "true"
     spec:
       serviceAccountName: elasticsearch-logging
       containers:
-      - image: gcr.io/google_containers/elasticsearch:v5.5.1
+      - image: gcr.io/google-containers/elasticsearch:v5.5.1-1
         name: elasticsearch-logging
         resources:
           # need more cpu upon initialization, therefore burstable class
@@ -47,17 +96,15 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+      volumes:
+      - name: elasticsearch-logging
+        emptyDir: {}
+      # Elasticsearch requires vm.max_map_count to be at least 262144.
+      # If your OS already sets up this number to a higher value, feel free
+      # to remove this init container.
       initContainers:
       - image: alpine:3.6
         command: ["/sbin/sysctl", "-w", "vm.max_map_count=262144"]
         name: elasticsearch-logging-init
         securityContext:
           privileged: true
-  volumeClaimTemplates:
-  - metadata:
-      name: elasticsearch-logging
-    spec:
-      accessModes: ["ReadWriteOnce"]
-      resources:
-        requests:
-          storage: 100Gi
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml
deleted file mode 100644
index 354956471ec..00000000000
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: fluentd-es
-  labels:
-    k8s-app: fluentd-es
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - "namespaces"
-  - "pods"
-  verbs:
-  - "get"
-  - "watch"
-  - "list"
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml
deleted file mode 100644
index 24ff206ee03..00000000000
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: fluentd-es
-  labels:
-    k8s-app: fluentd-es
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-subjects:
-- kind: ServiceAccount
-  name: fluentd-es
-  namespace: kube-system
-  apiGroup: ""
-roleRef:
-  kind: ClusterRole
-  name: fluentd-es
-  apiGroup: ""
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-configmap.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-configmap.yaml
new file mode 100644
index 00000000000..3fe62d8ae59
--- /dev/null
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-configmap.yaml
@@ -0,0 +1,362 @@
+kind: ConfigMap
+apiVersion: v1
+data:
+  containers.input.conf: |-
+    # This configuration file for Fluentd / td-agent is used
+    # to watch changes to Docker log files. The kubelet creates symlinks that
+    # capture the pod name, namespace, container name & Docker container ID
+    # to the docker logs for pods in the /var/log/containers directory on the host.
+    # If running this fluentd configuration in a Docker container, the /var/log
+    # directory should be mounted in the container.
+    #
+    # These logs are then submitted to Elasticsearch which assumes the
+    # installation of the fluent-plugin-elasticsearch & the
+    # fluent-plugin-kubernetes_metadata_filter plugins.
+    # See https://github.com/uken/fluent-plugin-elasticsearch &
+    # https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter for
+    # more information about the plugins.
+    #
+    # Example
+    # =======
+    # A line in the Docker log file might look like this JSON:
+    #
+    # {"log":"2014/09/25 21:15:03 Got request with path wombat\n",
+    #  "stream":"stderr",
+    #   "time":"2014-09-25T21:15:03.499185026Z"}
+    #
+    # The time_format specification below makes sure we properly
+    # parse the time format produced by Docker. This will be
+    # submitted to Elasticsearch and should appear like:
+    # $ curl 'http://elasticsearch-logging:9200/_search?pretty'
+    # ...
+    # {
+    #      "_index" : "logstash-2014.09.25",
+    #      "_type" : "fluentd",
+    #      "_id" : "VBrbor2QTuGpsQyTCdfzqA",
+    #      "_score" : 1.0,
+    #      "_source":{"log":"2014/09/25 22:45:50 Got request with path wombat\n",
+    #                 "stream":"stderr","tag":"docker.container.all",
+    #                 "@timestamp":"2014-09-25T22:45:50+00:00"}
+    #    },
+    # ...
+    #
+    # The Kubernetes fluentd plugin is used to write the Kubernetes metadata to the log
+    # record & add labels to the log record if properly configured. This enables users
+    # to filter & search logs on any metadata.
+    # For example a Docker container's logs might be in the directory:
+    #
+    #  /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b
+    #
+    # and in the file:
+    #
+    #  997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
+    #
+    # where 997599971ee6... is the Docker ID of the running container.
+    # The Kubernetes kubelet makes a symbolic link to this file on the host machine
+    # in the /var/log/containers directory which includes the pod name and the Kubernetes
+    # container name:
+    #
+    #    synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
+    #    ->
+    #    /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
+    #
+    # The /var/log directory on the host is mapped to the /var/log directory in the container
+    # running this instance of Fluentd and we end up collecting the file:
+    #
+    #   /var/log/containers/synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
+    #
+    # This results in the tag:
+    #
+    #  var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
+    #
+    # The Kubernetes fluentd plugin is used to extract the namespace, pod name & container name
+    # which are added to the log message as a kubernetes field object & the Docker container ID
+    # is also added under the docker field object.
+    # The final tag is:
+    #
+    #   kubernetes.var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
+    #
+    # And the final log record look like:
+    #
+    # {
+    #   "log":"2014/09/25 21:15:03 Got request with path wombat\n",
+    #   "stream":"stderr",
+    #   "time":"2014-09-25T21:15:03.499185026Z",
+    #   "kubernetes": {
+    #     "namespace": "default",
+    #     "pod_name": "synthetic-logger-0.25lps-pod",
+    #     "container_name": "synth-lgr"
+    #   },
+    #   "docker": {
+    #     "container_id": "997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b"
+    #   }
+    # }
+    #
+    # This makes it easier for users to search for logs by pod name or by
+    # the name of the Kubernetes container regardless of how many times the
+    # Kubernetes pod has been restarted (resulting in a several Docker container IDs).
+
+    # Example:
+    # {"log":"[info:2016-02-16T16:04:05.930-08:00] Some log text here\n","stream":"stdout","time":"2016-02-17T00:04:05.931087621Z"}
+    <source>
+      type tail
+      path /var/log/containers/*.log
+      pos_file /var/log/es-containers.log.pos
+      time_format %Y-%m-%dT%H:%M:%S.%NZ
+      tag kubernetes.*
+      format json
+      read_from_head true
+    </source>
+  system.input.conf: |-
+    # Example:
+    # 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
+    <source>
+      type tail
+      format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
+      time_format %Y-%m-%d %H:%M:%S
+      path /var/log/salt/minion
+      pos_file /var/log/es-salt.pos
+      tag salt
+    </source>
+
+    # Example:
+    # Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
+    <source>
+      type tail
+      format syslog
+      path /var/log/startupscript.log
+      pos_file /var/log/es-startupscript.log.pos
+      tag startupscript
+    </source>
+
+    # Examples:
+    # time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
+    # time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
+    <source>
+      type tail
+      format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+      path /var/log/docker.log
+      pos_file /var/log/es-docker.log.pos
+      tag docker
+    </source>
+
+    # Example:
+    # 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
+    <source>
+      type tail
+      # Not parsing this, because it doesn't have anything particularly useful to
+      # parse out of it (like severities).
+      format none
+      path /var/log/etcd.log
+      pos_file /var/log/es-etcd.log.pos
+      tag etcd
+    </source>
+
+    # Multi-line parsing is required for all the kube logs because very large log
+    # statements, such as those that include entire object bodies, get split into
+    # multiple lines by glog.
+
+    # Example:
+    # I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/kubelet.log
+      pos_file /var/log/es-kubelet.log.pos
+      tag kubelet
+    </source>
+
+    # Example:
+    # I1118 21:26:53.975789       6 proxier.go:1096] Port "nodePort for kube-system/default-http-backend:http" (:31429/tcp) was open before and is still needed
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/kube-proxy.log
+      pos_file /var/log/es-kube-proxy.log.pos
+      tag kube-proxy
+    </source>
+
+    # Example:
+    # I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/kube-apiserver.log
+      pos_file /var/log/es-kube-apiserver.log.pos
+      tag kube-apiserver
+    </source>
+
+    # Example:
+    # I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/kube-controller-manager.log
+      pos_file /var/log/es-kube-controller-manager.log.pos
+      tag kube-controller-manager
+    </source>
+
+    # Example:
+    # W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/kube-scheduler.log
+      pos_file /var/log/es-kube-scheduler.log.pos
+      tag kube-scheduler
+    </source>
+
+    # Example:
+    # I1104 10:36:20.242766       5 rescheduler.go:73] Running Rescheduler
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/rescheduler.log
+      pos_file /var/log/es-rescheduler.log.pos
+      tag rescheduler
+    </source>
+
+    # Example:
+    # I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/glbc.log
+      pos_file /var/log/es-glbc.log.pos
+      tag glbc
+    </source>
+
+    # Example:
+    # I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
+    <source>
+      type tail
+      format multiline
+      multiline_flush_interval 5s
+      format_firstline /^\w\d{4}/
+      format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
+      time_format %m%d %H:%M:%S.%N
+      path /var/log/cluster-autoscaler.log
+      pos_file /var/log/es-cluster-autoscaler.log.pos
+      tag cluster-autoscaler
+    </source>
+
+    # Logs from systemd-journal for interesting services.
+    <source>
+      type systemd
+      filters [{ "_SYSTEMD_UNIT": "docker.service" }]
+      pos_file /var/log/gcp-journald-docker.pos
+      read_from_head true
+      tag docker
+    </source>
+
+    <source>
+      type systemd
+      filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
+      pos_file /var/log/gcp-journald-kubelet.pos
+      read_from_head true
+      tag kubelet
+    </source>
+
+    <source>
+      type systemd
+      filters [{ "_SYSTEMD_UNIT": "node-problem-detector.service" }]
+      pos_file /var/log/gcp-journald-node-problem-detector.pos
+      read_from_head true
+      tag node-problem-detector
+    </source>
+  forward.input.conf: |-
+    # Takes the messages sent over TCP
+    <source>
+      type forward
+    </source>
+  monitoring.conf: |-
+    # Prometheus Exporter Plugin
+    # input plugin that exports metrics
+    <source>
+      @type prometheus
+    </source>
+
+    <source>
+      @type monitor_agent
+    </source>
+
+    # input plugin that collects metrics from MonitorAgent
+    <source>
+      @type prometheus_monitor
+      <labels>
+        host ${hostname}
+      </labels>
+    </source>
+
+    # input plugin that collects metrics for output plugin
+    <source>
+      @type prometheus_output_monitor
+      <labels>
+        host ${hostname}
+      </labels>
+    </source>
+
+    # input plugin that collects metrics for in_tail plugin
+    <source>
+      @type prometheus_tail_monitor
+      <labels>
+        host ${hostname}
+      </labels>
+    </source>
+  output.conf: |-
+    # Enriches records with Kubernetes metadata
+    <filter kubernetes.**>
+      type kubernetes_metadata
+    </filter>
+
+    <match **>
+       type elasticsearch
+       log_level info
+       include_tag_key true
+       host elasticsearch-logging
+       port 9200
+       logstash_format true
+       # Set the chunk limits.
+       buffer_chunk_limit 2M
+       buffer_queue_limit 8
+       flush_interval 5s
+       # Never wait longer than 5 minutes between retries.
+       max_retry_wait 30
+       # Disable the limit on the number of retries (retry forever).
+       disable_retry_limit
+       # Use multiple threads for processing.
+       num_threads 2
+    </match>
+metadata:
+  name: fluentd-es-config-v0.1.0
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
index 035297f4b5d..41f28aae41e 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
@@ -1,20 +1,67 @@
-apiVersion: extensions/v1beta1
-kind: DaemonSet
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  name: fluentd-es-v1.24
+  name: fluentd-es
   namespace: kube-system
   labels:
     k8s-app: fluentd-es
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
-    version: v1.24
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: fluentd-es
+  labels:
+    k8s-app: fluentd-es
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "pods"
+  verbs:
+  - "get"
+  - "watch"
+  - "list"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: fluentd-es
+  labels:
+    k8s-app: fluentd-es
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+- kind: ServiceAccount
+  name: fluentd-es
+  namespace: kube-system
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: fluentd-es
+  apiGroup: ""
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: fluentd-es
+  namespace: kube-system
+  labels:
+    k8s-app: fluentd-es
+    version: v2.0.0
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
 spec:
   template:
     metadata:
       labels:
         k8s-app: fluentd-es
         kubernetes.io/cluster-service: "true"
-        version: v1.24
+        version: v2.0.0
       # This annotation ensures that fluentd does not get evicted if the node
       # supports critical pod annotation based priority scheme.
       # Note that this does not guarantee admission on the nodes (#40573).
@@ -24,27 +71,13 @@ spec:
       serviceAccountName: fluentd-es
       containers:
       - name: fluentd-es
-        image: gcr.io/google_containers/fluentd-elasticsearch:1.24
-        command:
-          - '/bin/sh'
-          - '-c'
-          - '/usr/sbin/td-agent $FLUENTD_ARGS'
+        image: gcr.io/google-containers/fluentd-elasticsearch:v2.0.0
         env:
         - name: FLUENTD_ARGS
-          value: -q
-        - name: FLUENT_ELASTICSEARCH_USER
-          valueFrom:
-            configMapKeyRef:
-              name: environment
-              key: elasticsearch-user
-        - name: FLUENT_ELASTICSEARCH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: environment
-              key: elasticsearch-password
+          value: --no-supervisor -q
         resources:
           limits:
-            memory: 200Mi
+            memory: 500Mi
           requests:
             cpu: 100m
             memory: 200Mi
@@ -54,6 +87,11 @@ spec:
         - name: varlibdockercontainers
           mountPath: /var/lib/docker/containers
           readOnly: true
+        - name: libsystemddir
+          mountPath: /host/lib
+          readOnly: true
+        - name: config-volume
+          mountPath: /etc/fluent/config.d
       nodeSelector:
         beta.kubernetes.io/fluentd-ds-ready: "true"
       terminationGracePeriodSeconds: 30
@@ -64,3 +102,10 @@ spec:
       - name: varlibdockercontainers
         hostPath:
           path: /var/lib/docker/containers
+      # It is needed to copy systemd library to decompress journals
+      - name: libsystemddir
+        hostPath:
+          path: /usr/lib64
+      - name: config-volume
+        configMap:
+          name: fluentd-es-config-v0.1.0
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Dockerfile b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Dockerfile
index d12fc43a2d9..4e230c68d98 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Dockerfile
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Dockerfile
@@ -15,28 +15,45 @@
 # This Dockerfile will build an image that is configured
 # to run Fluentd with an Elasticsearch plug-in and the
 # provided configuration file.
-# TODO(a-robinson): Use a lighter base image, e.g. some form of busybox.
 # The image acts as an executable for the binary /usr/sbin/td-agent.
 # Note that fluentd is run with root permssion to allow access to
 # log files with root only access under /var/log/containers/*
-# Please see http://docs.fluentd.org/articles/install-by-deb for more
-# information about installing fluentd using deb package.
 
-FROM gcr.io/google_containers/ubuntu-slim:0.6
+FROM gcr.io/google-containers/debian-base-amd64:0.1
 
-# Ensure there are enough file descriptors for running Fluentd.
-RUN ulimit -n 65536
+COPY Gemfile /Gemfile
 
-# Disable prompts from apt.
-ENV DEBIAN_FRONTEND noninteractive
+# 1. Install & configure dependencies.
+# 2. Install fluentd via ruby.
+# 3. Remove build dependencies.
+# 4. Cleanup leftover caches & files.
+RUN BUILD_DEPS="make gcc g++ libc6-dev ruby-dev" \
+    && clean-install $BUILD_DEPS \
+                     ca-certificates \
+                     libjemalloc1 \
+                     liblz4-1 \
+                     ruby \
+    && echo 'gem: --no-document' >> /etc/gemrc \
+    && gem install --file Gemfile \
+    && apt-get purge -y --auto-remove \
+                     -o APT::AutoRemove::RecommendsImportant=false \
+                     $BUILD_DEPS \
+    && rm -rf /tmp/* \
+              /var/lib/apt/lists/* \
+              /usr/lib/ruby/gems/*/cache/*.gem \
+              /var/log/* \
+              /var/tmp/* \
+    # Ensure fluent has enough file descriptors
+    && ulimit -n 65536
 
-# Copy the Fluentd configuration file.
-COPY td-agent.conf /etc/td-agent/td-agent.conf
+# Copy the Fluentd configuration file for logging Docker container logs.
+COPY fluent.conf /etc/fluent/fluent.conf
+COPY run.sh /run.sh
 
-COPY build.sh /tmp/build.sh
-RUN /tmp/build.sh
+# Expose prometheus metrics.
+EXPOSE 80
 
-ENV LD_PRELOAD /opt/td-agent/embedded/lib/libjemalloc.so
+ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1
 
-# Run the Fluentd service.
-ENTRYPOINT ["td-agent"]
+# Start Fluentd to pick up our config that watches Docker container logs.
+CMD /run.sh $FLUENTD_ARGS
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Gemfile b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Gemfile
new file mode 100644
index 00000000000..5ef6d20e2c3
--- /dev/null
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Gemfile
@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'fluentd', '~>0.12.32'
+gem 'activesupport', '~>4.2.6'
+gem 'fluent-plugin-kubernetes_metadata_filter', '~>0.27.0'
+gem 'fluent-plugin-elasticsearch', '~>1.9.5'
+gem 'fluent-plugin-systemd', '~>0.0.8'
+gem 'fluent-plugin-prometheus', '~>0.3.0'
+gem 'oj', '~>2.18.1'
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
index d1747deab43..3d14c226b00 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/Makefile
@@ -14,12 +14,12 @@
 
 .PHONY:	build push
 
-PREFIX = gcr.io/google_containers
+PREFIX = gcr.io/google-containers
 IMAGE = fluentd-elasticsearch
-TAG = 1.24
+TAG = v2.0.0
 
 build:
 	docker build --pull -t $(PREFIX)/$(IMAGE):$(TAG) .
 
 push:
-	gcloud docker --server=gcr.io -- push $(PREFIX)/$(IMAGE):$(TAG)
+	gcloud docker -- push $(PREFIX)/$(IMAGE):$(TAG)
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md
index 1942b77996e..8b97511a009 100644
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md
@@ -1,10 +1,14 @@
 # Collecting Docker Log Files with Fluentd and Elasticsearch
 This directory contains the source files needed to make a Docker image
-that collects Docker container log files using [Fluentd](http://www.fluentd.org/)
-and sends them to an instance of [Elasticsearch](http://www.elasticsearch.org/).
-This image is designed to be used as part of the [Kubernetes](https://github.com/kubernetes/kubernetes)
-cluster bring up process. The image resides at DockerHub under the name
-[kubernetes/fluentd-elasticsearch](https://registry.hub.docker.com/u/kubernetes/fluentd-elasticsearch/).
+that collects Docker container log files using [Fluentd][fluentd]
+and sends them to an instance of [Elasticsearch][elasticsearch].
+This image is designed to be used as part of the [Kubernetes][kubernetes]
+cluster bring up process. The image resides at GCR under the name
+[gcr.io/google-containers/fluentd-elasticsearch][image].
 
+[fluentd]: http://www.fluentd.org/
+[elasticsearch]: https://www.elastic.co/products/elasticsearch
+[kubernetes]: https://kubernetes.io
+[image]: https://gcr.io/google-containers/fluentd-elasticsearch
 
-[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md?pixel)]()
\ No newline at end of file
+[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/fluentd-elasticsearch/fluentd-es-image/README.md?pixel)]()
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/build.sh b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/build.sh
deleted file mode 100755
index 4c0339ca75f..00000000000
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/build.sh
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/sh
-
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# Install prerequisites.
-apt-get update
-
-apt-get install -y -q --no-install-recommends \
-  curl ca-certificates make g++ sudo bash
-
-# Install Fluentd.
-/usr/bin/curl -sSL https://toolbelt.treasuredata.com/sh/install-ubuntu-xenial-td-agent2.sh | sh
-
-# Change the default user and group to root.
-# Needed to allow access to /var/log/docker/... files.
-sed -i -e "s/USER=td-agent/USER=root/" -e "s/GROUP=td-agent/GROUP=root/" /etc/init.d/td-agent
-
-# Install the Elasticsearch Fluentd plug-in.
-# http://docs.fluentd.org/articles/plugin-management
-td-agent-gem install --no-document fluent-plugin-kubernetes_metadata_filter -v 0.27.0
-td-agent-gem install --no-document fluent-plugin-elasticsearch -v 1.9.5
-td-agent-gem install --no-document fluent-plugin-prometheus -v 0.3.0
-
-# Remove docs and postgres references
-rm -rf /opt/td-agent/embedded/share/doc \
-  /opt/td-agent/embedded/share/gtk-doc \
-  /opt/td-agent/embedded/lib/postgresql \
-  /opt/td-agent/embedded/bin/postgres \
-  /opt/td-agent/embedded/share/postgresql
-
-apt-get remove -y make g++
-apt-get autoremove -y
-apt-get clean -y
-
-rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/fluent.conf b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/fluent.conf
new file mode 100644
index 00000000000..a73db5d7c70
--- /dev/null
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/fluent.conf
@@ -0,0 +1,8 @@
+# This is the root config file, which only includes components of the actual configuration
+
+# Do not collect fluentd's own logs to avoid infinite loops.
+<match fluent.**>
+  type null
+</match>
+
+@include /etc/fluent/config.d/*.conf
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/run.sh b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/run.sh
new file mode 100755
index 00000000000..bf7b3fa00fa
--- /dev/null
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/run.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# These steps must be executed once the host /var and /lib volumes have
+# been mounted, and therefore cannot be done in the docker build stage.
+
+# For systems without journald
+mkdir -p /var/log/journal
+
+# Copy host libsystemd into image to avoid compatibility issues.
+if [ ! -z "$(ls /host/lib/libsystemd* 2>/dev/null)" ]; then
+  rm /lib/x86_64-linux-gnu/libsystemd*
+  cp -a /host/lib/libsystemd* /lib/x86_64-linux-gnu/
+fi
+
+/usr/local/bin/fluentd $@
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf b/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf
deleted file mode 100644
index bf2c0821554..00000000000
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf
+++ /dev/null
@@ -1,344 +0,0 @@
-# This configuration file for Fluentd / td-agent is used
-# to watch changes to Docker log files. The kubelet creates symlinks that
-# capture the pod name, namespace, container name & Docker container ID
-# to the docker logs for pods in the /var/log/containers directory on the host.
-# If running this fluentd configuration in a Docker container, the /var/log
-# directory should be mounted in the container.
-#
-# These logs are then submitted to Elasticsearch which assumes the
-# installation of the fluent-plugin-elasticsearch & the
-# fluent-plugin-kubernetes_metadata_filter plugins.
-# See https://github.com/uken/fluent-plugin-elasticsearch &
-# https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter for
-# more information about the plugins.
-# Maintainer: Jimmi Dyson <jimmidyson@gmail.com>
-#
-# Example
-# =======
-# A line in the Docker log file might look like this JSON:
-#
-# {"log":"2014/09/25 21:15:03 Got request with path wombat\n",
-#  "stream":"stderr",
-#   "time":"2014-09-25T21:15:03.499185026Z"}
-#
-# The time_format specification below makes sure we properly
-# parse the time format produced by Docker. This will be
-# submitted to Elasticsearch and should appear like:
-# $ curl 'http://elasticsearch-logging:9200/_search?pretty'
-# ...
-# {
-#      "_index" : "logstash-2014.09.25",
-#      "_type" : "fluentd",
-#      "_id" : "VBrbor2QTuGpsQyTCdfzqA",
-#      "_score" : 1.0,
-#      "_source":{"log":"2014/09/25 22:45:50 Got request with path wombat\n",
-#                 "stream":"stderr","tag":"docker.container.all",
-#                 "@timestamp":"2014-09-25T22:45:50+00:00"}
-#    },
-# ...
-#
-# The Kubernetes fluentd plugin is used to write the Kubernetes metadata to the log
-# record & add labels to the log record if properly configured. This enables users
-# to filter & search logs on any metadata.
-# For example a Docker container's logs might be in the directory:
-#
-#  /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b
-#
-# and in the file:
-#
-#  997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
-#
-# where 997599971ee6... is the Docker ID of the running container.
-# The Kubernetes kubelet makes a symbolic link to this file on the host machine
-# in the /var/log/containers directory which includes the pod name and the Kubernetes
-# container name:
-#
-#    synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
-#    ->
-#    /var/lib/docker/containers/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b/997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b-json.log
-#
-# The /var/log directory on the host is mapped to the /var/log directory in the container
-# running this instance of Fluentd and we end up collecting the file:
-#
-#   /var/log/containers/synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
-#
-# This results in the tag:
-#
-#  var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
-#
-# The Kubernetes fluentd plugin is used to extract the namespace, pod name & container name
-# which are added to the log message as a kubernetes field object & the Docker container ID
-# is also added under the docker field object.
-# The final tag is:
-#
-#   kubernetes.var.log.containers.synthetic-logger-0.25lps-pod_default_synth-lgr-997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b.log
-#
-# And the final log record look like:
-#
-# {
-#   "log":"2014/09/25 21:15:03 Got request with path wombat\n",
-#   "stream":"stderr",
-#   "time":"2014-09-25T21:15:03.499185026Z",
-#   "kubernetes": {
-#     "namespace": "default",
-#     "pod_name": "synthetic-logger-0.25lps-pod",
-#     "container_name": "synth-lgr"
-#   },
-#   "docker": {
-#     "container_id": "997599971ee6366d4a5920d25b79286ad45ff37a74494f262e3bc98d909d0a7b"
-#   }
-# }
-#
-# This makes it easier for users to search for logs by pod name or by
-# the name of the Kubernetes container regardless of how many times the
-# Kubernetes pod has been restarted (resulting in a several Docker container IDs).
-#
-# TODO: Propagate the labels associated with a container along with its logs
-# so users can query logs using labels as well as or instead of the pod name
-# and container name. This is simply done via configuration of the Kubernetes
-# fluentd plugin but requires secrets to be enabled in the fluent pod. This is a
-# problem yet to be solved as secrets are not usable in static pods which the fluentd
-# pod must be until a per-node controller is available in Kubernetes.
-
-# Prevent fluentd from handling records containing its own logs. Otherwise
-# it can lead to an infinite loop, when error in sending one message generates
-# another message which also fails to be sent and so on.
-<match fluent.**>
-  type null
-</match>
-
-# Example:
-# {"log":"[info:2016-02-16T16:04:05.930-08:00] Some log text here\n","stream":"stdout","time":"2016-02-17T00:04:05.931087621Z"}
-<source>
-  type tail
-  path /var/log/containers/*.log
-  pos_file /var/log/es-containers.log.pos
-  time_format %Y-%m-%dT%H:%M:%S.%NZ
-  tag kubernetes.*
-  format json
-  read_from_head true
-</source>
-
-# Example:
-# 2015-12-21 23:17:22,066 [salt.state       ][INFO    ] Completed state [net.ipv4.ip_forward] at time 23:17:22.066081
-<source>
-  type tail
-  format /^(?<time>[^ ]* [^ ,]*)[^\[]*\[[^\]]*\]\[(?<severity>[^ \]]*) *\] (?<message>.*)$/
-  time_format %Y-%m-%d %H:%M:%S
-  path /var/log/salt/minion
-  pos_file /var/log/es-salt.pos
-  tag salt
-</source>
-
-# Example:
-# Dec 21 23:17:22 gke-foo-1-1-4b5cbd14-node-4eoj startupscript: Finished running startup script /var/run/google.startup.script
-<source>
-  type tail
-  format syslog
-  path /var/log/startupscript.log
-  pos_file /var/log/es-startupscript.log.pos
-  tag startupscript
-</source>
-
-# Examples:
-# time="2016-02-04T06:51:03.053580605Z" level=info msg="GET /containers/json"
-# time="2016-02-04T07:53:57.505612354Z" level=error msg="HTTP Error" err="No such image: -f" statusCode=404
-<source>
-  type tail
-  format /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
-  path /var/log/docker.log
-  pos_file /var/log/es-docker.log.pos
-  tag docker
-</source>
-
-# Example:
-# 2016/02/04 06:52:38 filePurge: successfully removed file /var/etcd/data/member/wal/00000000000006d0-00000000010a23d1.wal
-<source>
-  type tail
-  # Not parsing this, because it doesn't have anything particularly useful to
-  # parse out of it (like severities).
-  format none
-  path /var/log/etcd.log
-  pos_file /var/log/es-etcd.log.pos
-  tag etcd
-</source>
-
-# Multi-line parsing is required for all the kube logs because very large log
-# statements, such as those that include entire object bodies, get split into
-# multiple lines by glog.
-
-# Example:
-# I0204 07:32:30.020537    3368 server.go:1048] POST /stats/container/: (13.972191ms) 200 [[Go-http-client/1.1] 10.244.1.3:40537]
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/kubelet.log
-  pos_file /var/log/es-kubelet.log.pos
-  tag kubelet
-</source>
-
-# Example:
-# I1118 21:26:53.975789       6 proxier.go:1096] Port "nodePort for kube-system/default-http-backend:http" (:31429/tcp) was open before and is still needed
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/kube-proxy.log
-  pos_file /var/log/es-kube-proxy.log.pos
-  tag kube-proxy
-</source>
-
-# Example:
-# I0204 07:00:19.604280       5 handlers.go:131] GET /api/v1/nodes: (1.624207ms) 200 [[kube-controller-manager/v1.1.3 (linux/amd64) kubernetes/6a81b50] 127.0.0.1:38266]
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/kube-apiserver.log
-  pos_file /var/log/es-kube-apiserver.log.pos
-  tag kube-apiserver
-</source>
-
-# Example:
-# I0204 06:55:31.872680       5 servicecontroller.go:277] LB already exists and doesn't need update for service kube-system/kube-ui
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/kube-controller-manager.log
-  pos_file /var/log/es-kube-controller-manager.log.pos
-  tag kube-controller-manager
-</source>
-
-# Example:
-# W0204 06:49:18.239674       7 reflector.go:245] pkg/scheduler/factory/factory.go:193: watch of *api.Service ended with: 401: The event in requested index is outdated and cleared (the requested history has been cleared [2578313/2577886]) [2579312]
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/kube-scheduler.log
-  pos_file /var/log/es-kube-scheduler.log.pos
-  tag kube-scheduler
-</source>
-
-# Example:
-# I1104 10:36:20.242766       5 rescheduler.go:73] Running Rescheduler
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/rescheduler.log
-  pos_file /var/log/es-rescheduler.log.pos
-  tag rescheduler
-</source>
-
-# Example:
-# I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/glbc.log
-  pos_file /var/log/es-glbc.log.pos
-  tag glbc
-</source>
-
-# Example:
-# I0603 15:31:05.793605       6 cluster_manager.go:230] Reading config from path /etc/gce.conf
-<source>
-  type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\w\d{4}/
-  format1 /^(?<severity>\w)(?<time>\d{4} [^\s]*)\s+(?<pid>\d+)\s+(?<source>[^ \]]+)\] (?<message>.*)/
-  time_format %m%d %H:%M:%S.%N
-  path /var/log/cluster-autoscaler.log
-  pos_file /var/log/es-cluster-autoscaler.log.pos
-  tag cluster-autoscaler
-</source>
-
-<filter kubernetes.**>
-  type kubernetes_metadata
-</filter>
-
-# Prometheus Exporter Plugin
-# input plugin that exports metrics
-<source>
-  type prometheus
-</source>
-
-<source>
-  type monitor_agent
-</source>
-
-<source>
-  type forward
-</source>
-
-# input plugin that collects metrics from MonitorAgent
-<source>
-  @type prometheus_monitor
-  <labels>
-    host ${hostname}
-  </labels>
-</source>
-
-# input plugin that collects metrics for output plugin
-<source>
-  @type prometheus_output_monitor
-  <labels>
-    host ${hostname}
-  </labels>
-</source>
-
-# input plugin that collects metrics for in_tail plugin
-<source>
-  @type prometheus_tail_monitor
-  <labels>
-    host ${hostname}
-  </labels>
-</source>
-
-<match **>
-   type elasticsearch
-   user "#{ENV['FLUENT_ELASTICSEARCH_USER']}"
-   password "#{ENV['FLUENT_ELASTICSEARCH_PASSWORD']}"
-   log_level info
-   include_tag_key true
-   host elasticsearch-logging
-   port 9200
-   logstash_format true
-   # Set the chunk limit the same as for fluentd-gcp.
-   buffer_chunk_limit 2M
-   # Cap buffer memory usage to 2MiB/chunk * 32 chunks = 64 MiB
-   buffer_queue_limit 32
-   flush_interval 5s
-   # Never wait longer than 5 minutes between retries.
-   max_retry_wait 30
-   # Disable the limit on the number of retries (retry forever).
-   disable_retry_limit
-   # Use multiple threads for processing.
-   num_threads 8
-</match>
diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml
deleted file mode 100644
index 3a26be215b7..00000000000
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: fluentd-es
-  namespace: kube-system
-  labels:
-    k8s-app: fluentd-es
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
diff --git a/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml b/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml
index fcd74865c55..d3636d39814 100644
--- a/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml
+++ b/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml
@@ -27,10 +27,14 @@ spec:
           requests:
             cpu: 100m
         env:
-          - name: "ELASTICSEARCH_URL"
-            value: "http://elasticsearch-logging:9200"
-          - name: "SERVER_BASEPATH"
-            value: "/api/v1/proxy/namespaces/kube-system/services/kibana-logging"
+          - name: ELASTICSEARCH_URL
+            value: http://elasticsearch-logging:9200
+          - name: SERVER_BASEPATH
+            value: /api/v1/proxy/namespaces/kube-system/services/kibana-logging
+          - name: XPACK_MONITORING_ENABLED
+            value: "false"
+          - name: XPACK_SECURITY_ENABLED
+            value: "false"
         ports:
         - containerPort: 5601
           name: ui
diff --git a/cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml b/cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml
index c4304f5c156..069ecc4001e 100644
--- a/cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml
+++ b/cluster/addons/fluentd-gcp/fluentd-gcp-ds.yaml
@@ -28,15 +28,6 @@ spec:
       containers:
       - name: fluentd-gcp
         image: gcr.io/google-containers/fluentd-gcp:2.0.8
-        # If fluentd consumes its own logs, the following situation may happen:
-        # fluentd fails to send a chunk to the server => writes it to the log =>
-        # tries to send this message to the server => fails to send a chunk and so on.
-        # Writing to a file, which is not exported to the back-end prevents it.
-        # It also allows to increase the fluentd verbosity by default.
-        command:
-          - '/bin/sh'
-          - '-c'
-          - '/run.sh $FLUENTD_ARGS'
         env:
         - name: FLUENTD_ARGS
           value: --no-supervisor -q