Issue
add_resource_metadata is enabled at all times for two resources, namespaces and nodes.
There is an option to disable them (warning: hints should also be disabled, otherwise this will not work). For simplicity, I will only use namespace for this issue:
add_resource_metadata:
namespace.enabled: false
However, when creating the watcher, we don't check if it is enabled or not:
|
namespaceWatcher, err := kubernetes.NewNamedWatcher("namespace", client, &kubernetes.Namespace{}, kubernetes.WatchOptions{ |
And only later when it is time to add events, do we check for that:
|
if namespaceWatcher != nil && (config.Hints.Enabled() || metaConf.Namespace.Enabled()) { |
|
updater := kubernetes.NewNamespacePodUpdater(p.unlockedUpdate, watcher.Store(), &p.crossUpdate) |
|
namespaceWatcher.AddEventHandler(updater) |
|
} |
The problem with this approach is that we always need to have permissions to list namespaces within the cluster scope, when we shouldn't force the user to have them. But if they don't, we always face the error:
W1122 12:17:27.683394 23 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metricbeat" cannot list resource "namespaces" in API group "" at the cluster scope
We face this issue when resource is set to pod (default) and service.
We also need to prevent namespace/node watchers from being created when using enrichers.
To complete
Issue
add_resource_metadatais enabled at all times for two resources,namespacesandnodes.There is an option to disable them (warning: hints should also be disabled, otherwise this will not work). For simplicity, I will only use namespace for this issue:
However, when creating the watcher, we don't check if it is enabled or not:
beats/libbeat/autodiscover/providers/kubernetes/pod.go
Line 110 in cc39376
And only later when it is time to add events, do we check for that:
beats/libbeat/autodiscover/providers/kubernetes/pod.go
Lines 160 to 163 in cc39376
The problem with this approach is that we always need to have permissions to list namespaces within the cluster scope, when we shouldn't force the user to have them. But if they don't, we always face the error:
We face this issue when resource is set to
pod(default) andservice.We also need to prevent namespace/node watchers from being created when using enrichers.
To complete
add_resource_metadataorhintsare enabled: