elastic
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 2 additions & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-role.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎filebeat/docs/fields.asciidoc‎
Lines changed: 21 additions & 0 deletions b/‎filebeat/docs/fields.asciidoc‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎filebeat/docs/modules/awsfargate.asciidoc‎
Lines changed: 139 additions & 0 deletions b/‎filebeat/docs/modules/awsfargate.asciidoc‎
Lines changed: 139 additions & 0 deletions
diff --git a/‎filebeat/docs/modules_list.asciidoc‎
Lines changed: 2 additions & 0 deletions b/‎filebeat/docs/modules_list.asciidoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎filebeat/tests/system/test_modules.py‎
Lines changed: 2 additions & 1 deletion b/‎filebeat/tests/system/test_modules.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎libbeat/autodiscover/providers/kubernetes/pod.go‎
Lines changed: 82 additions & 2 deletions b/‎libbeat/autodiscover/providers/kubernetes/pod.go‎
Lines changed: 82 additions & 2 deletions
@@ -371,6 +371,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add new ECS 1.9 field `cloud.service.name` to `add_cloud_metadata` processor. {pull}24993[24993]
 - Libbeat: report queue capacity, output batch size, and output client count to monitoring. {pull}24700[24700]
 - Add kubernetes.pod.ip field in kubernetes metadata. {pull}25037[25037]
+- Discover changes in Kubernetes namespace metadata as soon as they happen. {pull}25117[25117]
 
 *Auditbeat*
 
@@ -539,6 +540,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `fail_on_template_error` option for httpjson input. {pull}24784[24784]
 - Change `okta.target` to `flattened` field type.  {issue}24354[24354] {pull}24636[24636]
 - Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
+- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
 - New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
 
 *Heartbeat*
 
@@ -561,6 +561,7 @@ rules:
       - namespaces
       - events
       - pods
+      - services
     verbs: ["get", "list", "watch"]
   # Enable this rule only if planing to use kubernetes_secrets provider
   #- apiGroups: [""]
 
@@ -11,6 +11,7 @@ rules:
       - namespaces
       - events
       - pods
+      - services
     verbs: ["get", "list", "watch"]
   # Enable this rule only if planing to use kubernetes_secrets provider
   #- apiGroups: [""]
 
@@ -17,6 +17,7 @@ grouped in the following categories:
 * <<exported-fields-auditd>>
 * <<exported-fields-aws>>
 * <<exported-fields-aws-cloudwatch>>
+* <<exported-fields-awsfargate>>
 * <<exported-fields-azure>>
 * <<exported-fields-barracuda>>
 * <<exported-fields-beat-common>>
@@ -2318,6 +2319,26 @@ type: keyword
 
 --
 
+[[exported-fields-awsfargate]]
+== AWS Fargate fields
+
+Module for collecting container logs from Amazon ECS Fargate.
+
+
+
+[float]
+=== awsfargate
+
+Fields from Amazon ECS Fargate logs.
+
+
+
+[float]
+=== log
+
+Fields for Amazon Fargate container logs.
+
+
 [[exported-fields-azure]]
 == Azure fields
 
 
@@ -0,0 +1,139 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-awsfargate]]
+[role="xpack"]
+
+:libbeat-xpack-dir: ../../../x-pack/libbeat
+
+:modulename: awsfargate
+:has-dashboards: false
+
+== AWS Fargate module
+
+beta[]
+
+This module can be used to collect container logs from Amazon ECS on Fargate.
+It uses filebeat `awscloudwatch` input to get log files from one or more log
+streams in AWS CloudWatch. Logs from all containers in Fargate launch type tasks
+can be sent to CloudWatch by adding the `awslogs` log driver under `logConfiguration`
+section in the task definition. For example, `logConfiguration` can be added into
+the task definition by adding this section into the `containerDefinitions`:
+
+[source,json]
+----
+{
+   "logDriver":"awslogs",
+   "options":{
+      "awslogs-group":"awslogs-wordpress",
+      "awslogs-region":"us-west-2",
+      "awslogs-stream-prefix":"awslogs-example"
+   }
+}
+----
+
+The `awsfargate` module requires AWS credentials configuration in order to make AWS API calls.
+Users can either use `access_key_id`, `secret_access_key` and/or
+`session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.
+
+Please see <<awsfargate-credentials,AWS credentials options>> for more details.
+
+[float]
+=== Module configuration
+
+Example config:
+
+[source,yaml]
+----
+- module: aws
+  fargate:
+    enabled: true
+    var.credential_profile_name: test-filebeat
+    var.log_group_arn: arn:aws:logs:us-east-1:1234567890:log-group:/ecs/test-log-group:*
+----
+
+*`var.log_group_arn`*::
+
+ARN of the log group to collect logs from.
+
+*`var.log_group_name`*::
+
+Name of the log group to collect logs from. Note: region_name is required when
+log_group_name is given.
+
+*`var.region_name`*::
+
+Region that the specified log group belongs to.
+
+*`var.log_streams`*::
+
+A list of strings of log streams names that Filebeat collect log events from.
+
+*`var.log_stream_prefix`*::
+
+A string to filter the results to include only log events from log streams
+that have names starting with this prefix.
+
+*`var.start_position`*::
+
+`start_position` allows user to specify if this input should read log files from
+the `beginning` or from the `end`.
+
+* `beginning`: reads from the beginning of the log group (default).
+* `end`: read only new messages from current time minus `scan_frequency` going forward
+
+*`var.scan_frequency`*::
+
+This config parameter sets how often Filebeat checks for new log events from the
+specified log group. Default `scan_frequency` is 1 minute, which means Filebeat
+will sleep for 1 minute before querying for new logs again.
+
+*`var.api_timeout`*::
+
+The maximum duration of AWS API can take. If it exceeds the timeout, AWS API
+will be interrupted. The default AWS API timeout for a message is 120 seconds.
+The minimum is 0 seconds.
+
+*`var.api_sleep`*::
+
+This is used to sleep between AWS `FilterLogEvents` API calls inside the same
+collection period. `FilterLogEvents` API has a quota of 5 transactions per
+second (TPS)/account/Region. By default, `api_sleep` is 200 ms. This value should
+only be adjusted when there are multiple Filebeats or multiple Filebeat inputs
+collecting logs from the same region and AWS account.
+
+*`var.shared_credential_file`*::
+
+Filename of AWS credential file.
+
+*`var.credential_profile_name`*::
+
+AWS credential profile name.
+
+*`var.access_key_id`*::
+First part of access key.
+
+*`var.secret_access_key`*::
+Second part of access key.
+
+*`var.session_token`*::
+Required when using temporary security credentials.
+
+*`var.role_arn`*::
+AWS IAM Role to assume.
+
+*`var.endpoint`*::
+
+The custom endpoint used to access AWS APIs.
+
+[id="awsfargate-credentials"]
+include::{libbeat-xpack-dir}/docs/aws-credentials-config.asciidoc[]
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-awsfargate,exported fields>> section.
+
@@ -7,6 +7,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-apache>>
   * <<filebeat-module-auditd>>
   * <<filebeat-module-aws>>
+  * <<filebeat-module-awsfargate>>
   * <<filebeat-module-azure>>
   * <<filebeat-module-barracuda>>
   * <<filebeat-module-bluecoat>>
@@ -80,6 +81,7 @@ include::modules/activemq.asciidoc[]
 include::modules/apache.asciidoc[]
 include::modules/auditd.asciidoc[]
 include::modules/aws.asciidoc[]
+include::modules/awsfargate.asciidoc[]
 include::modules/azure.asciidoc[]
 include::modules/barracuda.asciidoc[]
 include::modules/bluecoat.asciidoc[]
 
@@ -282,7 +282,8 @@ def clean_keys(obj):
         "threatintel.abuseurl",
         "threatintel.abusemalware",
         "threatintel.anomali",
-        "snyk.vulnerabilities"
+        "snyk.vulnerabilities",
+        "awsfargate.log"
     }
     # dataset + log file pairs for which @timestamp is kept as an exception from above
     remove_timestamp_exception = {
 
@@ -19,11 +19,11 @@ package kubernetes
 
 import (
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/gofrs/uuid"
 	k8s "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/cache"
 
 	"github.com/elastic/beats/v7/libbeat/autodiscover/builder"
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -43,7 +43,11 @@ type pod struct {
 	watcher          kubernetes.Watcher
 	nodeWatcher      kubernetes.Watcher
 	namespaceWatcher kubernetes.Watcher
-	namespaceStore   cache.Store
+
+	// Mutex used by configuration updates not triggered by the main watcher,
+	// to avoid race conditions between cross updates and deletions.
+	// Other updaters must use a write lock.
+	crossUpdate sync.RWMutex
 }
 
 // NewPodEventer creates an eventer that can discover and process pod objects
@@ -111,11 +115,20 @@ func NewPodEventer(uuid uuid.UUID, cfg *common.Config, client k8s.Interface, pub
 	}
 
 	watcher.AddEventHandler(p)
+
+	if namespaceWatcher != nil && (config.Hints.Enabled() || metaConf.Namespace.Enabled()) {
+		updater := newNamespacePodUpdater(p.unlockedUpdate, watcher.Store(), &p.crossUpdate)
+		namespaceWatcher.AddEventHandler(updater)
+	}
+
 	return p, nil
 }
 
 // OnAdd ensures processing of pod objects that are newly added
 func (p *pod) OnAdd(obj interface{}) {
+	p.crossUpdate.RLock()
+	defer p.crossUpdate.RUnlock()
+
 	p.logger.Debugf("Watcher Pod add: %+v", obj)
 	p.emit(obj.(*kubernetes.Pod), "start")
 }
@@ -124,6 +137,13 @@ func (p *pod) OnAdd(obj interface{}) {
 // if it is terminating, a stop event is scheduled, if not, a stop and a start
 // events are sent sequentially to recreate the resources assotiated to the pod.
 func (p *pod) OnUpdate(obj interface{}) {
+	p.crossUpdate.RLock()
+	defer p.crossUpdate.RUnlock()
+
+	p.unlockedUpdate(obj)
+}
+
+func (p *pod) unlockedUpdate(obj interface{}) {
 	pod := obj.(*kubernetes.Pod)
 
 	p.logger.Debugf("Watcher Pod update for pod: %+v, status: %+v", pod.Name, pod.Status.Phase)
@@ -162,6 +182,9 @@ func (p *pod) OnUpdate(obj interface{}) {
 
 // OnDelete stops pod objects that are deleted
 func (p *pod) OnDelete(obj interface{}) {
+	p.crossUpdate.RLock()
+	defer p.crossUpdate.RUnlock()
+
 	p.logger.Debugf("Watcher Pod delete: %+v", obj)
 	time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(obj.(*kubernetes.Pod), "stop") })
 }
@@ -448,3 +471,60 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet
 		p.publish(events)
 	}
 }
+
+// podUpdaterHandlerFunc is a function that handles pod updater notifications.
+type podUpdaterHandlerFunc func(interface{})
+
+// podUpdaterStore is the interface that an object needs to implement to be
+// used as a pod updater store.
+type podUpdaterStore interface {
+	List() []interface{}
+}
+
+// namespacePodUpdater notifies updates on pods when their namespaces are updated.
+type namespacePodUpdater struct {
+	handler podUpdaterHandlerFunc
+	store   podUpdaterStore
+	locker  sync.Locker
+}
+
+// newNamespacePodUpdater creates a namespacePodUpdater
+func newNamespacePodUpdater(handler podUpdaterHandlerFunc, store podUpdaterStore, locker sync.Locker) *namespacePodUpdater {
+	return &namespacePodUpdater{
+		handler: handler,
+		store:   store,
+		locker:  locker,
+	}
+}
+
+// OnUpdate handles update events on namespaces.
+func (n *namespacePodUpdater) OnUpdate(obj interface{}) {
+	ns, ok := obj.(*kubernetes.Namespace)
+	if !ok {
+		return
+	}
+
+	// n.store.List() returns a snapshot at this point. If a delete is received
+	// from the main watcher, this loop may generate an update event after the
+	// delete is processed, leaving configurations that would never be deleted.
+	// Also this loop can miss updates, what could leave outdated configurations.
+	// Avoid these issues by locking the processing of events from the main watcher.
+	if n.locker != nil {
+		n.locker.Lock()
+		defer n.locker.Unlock()
+	}
+	for _, pod := range n.store.List() {
+		pod, ok := pod.(*kubernetes.Pod)
+		if ok && pod.Namespace == ns.Name {
+			n.handler(pod)
+		}
+	}
+}
+
+// OnAdd handles add events on namespaces. Nothing to do, if pods are added to this
+// namespace they will generate their own add events.
+func (*namespacePodUpdater) OnAdd(interface{}) {}
+
+// OnDelete handles delete events on namespaces. Nothing to do, if pods are deleted from this
+// namespace they will generate their own delete events.
+func (*namespacePodUpdater) OnDelete(interface{}) {}