There is an official manifest for the deployment of the daemonset https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/output/elasticsearch/fluent-bit-ds.yaml
Line 49 defines the volume varlibdockercontainers.
I don't understand why the Fluent-bit needs to read data from the folder /var/lib/docker/containers.
I don't understand why the Fluent-bit needs to read data from the folder
/var/lib/docker/containers.
Because that is where docker stores its ${container_id}-json.log file when using the json-file logging driver, which is (AFAIK) the default. There are more details in this related question
Therefore, in order for fluent to transmit logs, it does (effectively) tail -f $the_log_filename | jq -r .log and those are the container's logs. If you want to see the actual implementation, it seems to be in docker.h and its docker.c peer
