[New Package] Add Kubelet Stats OpenTelemetry input package

[kpollich]

Proposed commit message

This PR adds a new input package for collecting Kubernetes metrics from the Kubelet API using the OpenTelemetry kubeletstatsreceiver.

Summary

• Collects node, pod, container, and volume metrics
• Multiple authentication methods (serviceAccount, TLS, kubeConfig, none)
• Configurable metric groups and collection intervals
• Support for extra metadata labels
• Network interface collection configuration
• Validate that the Kubernetes content package is installed automatically.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

• Closes Create Input Package: Kubelet stats receiver #17140

Screenshots

How to test this PR locally

These instructions guide you through manually testing the kubeletstats_otel input package. You will set up a local Kubernetes cluster, install the package via Fleet, and verify that kubelet stats metrics are being ingested.

Prerequisites

Ensure you have the following installed:

• Docker - For running kind and the Elastic Stack

• kind - Kubernetes in Docker (install guide)

• kubectl - Kubernetes CLI (install guide)

• elastic-package - For building and serving the package locally

  # Build elastic-package from the integrations repo
  cd /path/to/integrations
  go build github.com/elastic/elastic-package

Step 1: Start the Elastic Stack

Start a local Elastic Stack using elastic-package:

cd packages/kubeletstats_otel

# Start the Elastic Stack (Elasticsearch, Kibana, Fleet Server)
elastic-package stack up -d -v

# Verify the stack is running
elastic-package stack status

The stack will be accessible at:

• Kibana: https://localhost:5601
• Elasticsearch: https://localhost:9200
• Default credentials: elastic / changeme

Step 2: Build and Install the Package

Build and install the kubeletstats_otel package into the local Kibana:

# From the package directory
cd packages/kubeletstats_otel

# Build the package
elastic-package build

# Install the package into Kibana
elastic-package install -v

Step 3: Create a Kubernetes Cluster with kind

Create a kind cluster that will provide the Kubelet API for metrics collection:

kind create cluster --config kind-config.yaml --image 'kindest/node:v1.33.0'

# Get the node name (you'll need this later)
kubectl get nodes

Step 4: Connect kubernetes cluster (kind) to elastic-stack

Connect the control plane container to the docker network where it is running the Elastic stack.

NOTE: If you have run system tests previously, the docker network connect command could fail.

# Take note of the container ID
docker ps |grep control-plane

# Connect container to the network stack
docker network connect elastic-package-stack_default <containerID>

Step 5: Deploy Elastic Agent in the Kubernetes Cluster

5a. Create the Agent Policy in Fleet

1. Open Kibana at https://localhost:5601 (login: elastic / changeme)
2. Navigate to Fleet → Agent policies
3. Click Create agent policy
4. Name it kubeletstats-test-policy and click Create agent policy

5b. Add the Kubelet Stats Integration

1. In the new policy, click Add integration
2. Search for "Kubelet Stats OpenTelemetry" and select it
3. Configure the integration:
   • Endpoint: https://${env.NODE_IP}:10250 (Kubelet secure port)
   • Auth Type: Service Account (recommended for in-cluster)
   • Skip TLS Verification: Enable for testing (the Kubelet uses a self-signed cert)
   • Collection Interval: 10s (for faster feedback during testing)
   • Metric Groups: Keep defaults (container, pod, node)
4. Click Save and continue

5c. Create RBAC for Elastic Agent

Create the necessary RBAC permissions for the Elastic Agent to access kubelet stats:

NOTE: Most of these permissions are already in place by the manifest provided by Kibana. It just misses the get permission for nodes/proxy.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: elastic-agent
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: elastic-agent-kubelet-stats
rules:
- apiGroups: [""]
  resources: ["nodes/stats", "nodes/proxy"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["nodes", "namespaces", "pods"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: elastic-agent-kubelet-stats
subjects:
- kind: ServiceAccount
  name: elastic-agent
  namespace: default
roleRef:
  kind: ClusterRole
  name: elastic-agent-kubelet-stats
  apiGroup: rbac.authorization.k8s.io
EOF

5d. Deploy Elastic Agent as a DaemonSet

1. In Kibana Fleet, go to Agent policies → kubeletstats-test-policy
2. Click Add agent → Enroll in Fleet
3. Select Kubernetes as the deployment method
4. Copy the provided manifest or use the elastic-agent Helm chart

For quick testing, you can modify the manifest to:

• Use the elastic-agent service account created above
• Set the NODE_IP environment variable from the downward API

To the manifest provided by Kibana, it needs to be added the CA used by elastic-package.
For that, include the following definitions:

---
apiVersion: v1
kind: Secret
metadata:
  name: elastic-package-certs
  namespace: kube-system
data:
  # this string should be generated with 
  # base64 ~/.elastic-package/profiles/default/certs/ca-cert.pem
  ca-cert.pem: |
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlekNDQVNDZ0F3SUJBZ0lRQzBJcUYzOHNX
    ZVJ3bW81UC9OaHRT...

---
spec:
  template:
    spec:
      containers:
        - name: elastic-agent
          env:
            - name: SSL_CERT_DIR
              value: "/etc/ssl/certs:/etc/ssl/elastic-package"
            - ...
          volumeMounts:
            - name: elastic-package-ca
              mountPath: /etc/ssl/elastic-package
              readOnly: true
            - ...
      volumes:
        - name: elastic-package-ca
          secret:
            secretName: elastic-package-certs
        - ...

Step 6: Verify Data Ingestion

6a. Check Agent Status

In Kibana Fleet, verify the agent is healthy:

1. Go to Fleet → Agents
2. Confirm the agent shows as "Healthy"

6b. Query for Kubelet Stats Metrics

In Kibana Dev Tools, run the following query to verify metrics are being ingested:

GET metrics-*/_search
{
  "query": {
    "bool": {
      "should": [
        { "prefix": { "name": "k8s.node" } },
        { "prefix": { "name": "k8s.pod" } },
        { "prefix": { "name": "k8s.container" } },
        { "prefix": { "name": "k8s.volume" } }
      ],
      "minimum_should_match": 1
    }
  },
  "size": 10,
  "sort": [{ "@timestamp": "desc" }]
}

You should see metrics like:

• k8s.node.cpu.utilization
• k8s.node.memory.usage
• k8s.pod.cpu.utilization
• k8s.pod.memory.usage
• k8s.container.cpu.utilization
• k8s.container.memory.usage

6c. Explore in Discover

1. Go to Discover in Kibana
2. Create or select a data view matching metrics-*
3. Filter for kubelet stats metrics and explore the ingested data

Step 7: Run Automated System Tests

You can also run the automated system tests included with the package:

cd packages/kubeletstats_otel

# This will spin up a kind cluster and run the tests automatically
elastic-package test system -v

Cleanup

# Delete the kind cluster
kind delete cluster --name kubeletstats-test

# Stop the Elastic Stack
elastic-package stack down

# Clean up build artifacts
elastic-package clean

Troubleshooting

Agent not enrolling:

• Check Fleet Server logs in Docker: docker logs elastic-package-stack-fleet-server-1
• Verify the enrollment token is correct

No metrics appearing:

• Check the Elastic Agent logs: kubectl logs -l app=elastic-agent
• Verify RBAC permissions are applied: kubectl auth can-i get nodes/stats --as=system:serviceaccount:default:elastic-agent
• Ensure insecure_skip_verify is enabled (kind uses self-signed certs)

Connection refused to Kubelet:

• Verify the endpoint uses port 10250 (secure) not 10255 (read-only, usually disabled)
• Check that NODE_IP environment variable is correctly set

---

Generated with Claude Code

[elasticmachine]

Pinging @elastic/ecosystem (Team:Ecosystem)

[kpollich]

@claude please do a thorough review -- pay careful attention to the receiver upstream and at our other input packages

[github-actions]

Claude finished @kpollich's task in 3m 5s —— View job

---

Review Complete

I've submitted a detailed review of this PR. Key findings:

✅ Looks Good:

• Package structure follows established patterns
• Comprehensive configuration coverage for all auth types
• Thorough documentation with troubleshooting tips
• Package passes elastic-package check validation

💡 Non-blocking Suggestions:

1. Consider using type: duration for interval fields (like other otel packages)
2. RBAC docs may need nodes/proxy permission for extra_metadata_labels
3. Missing tls option in k8s_api_config_auth_type select field
4. Endpoint default guidance for auth_type: none users

The package is well-implemented and ready for merge. See the full review for details.

---

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

PR Review: Kubelet Stats OpenTelemetry Input Package

Overall this is a well-structured package that follows the existing patterns in the repository. The package passes elastic-package check validation. I've compared it against the upstream kubeletstatsreceiver and other input packages in this repo. Below are my findings.

🟢 Looks Good

1. Package structure follows the established pattern (LICENSE.txt, manifest.yml, docs, _dev/test/policy, agent/input, img)
2. Configuration coverage is comprehensive - supports all four auth types (none, tls, serviceAccount, kubeConfig)
3. Handlebars template correctly handles conditional rendering for optional fields
4. Documentation is thorough with troubleshooting tips and RBAC examples
5. Test policy validates the expected output structure

🟡 Suggestions (Non-blocking)

1. insecure_skip_verify conditional may output false when not wanted

In input.yml.hbs:16-18, the current pattern:

{{#if insecure_skip_verify}}
    insecure_skip_verify: {{insecure_skip_verify}}
{{/if}}

Since insecure_skip_verify defaults to false in manifest.yml, this conditional will be falsy and won't render. This is actually the desired behavior! However, if a user explicitly sets it to true, it will render correctly. Just noting this is working as expected.

2. Consider using type: duration for interval fields

The nginx_input_otel package uses type: duration for collection_interval and initial_delay, which provides validation. This package uses type: text. Either approach works, but duration type provides additional validation.

manifest.yml:39-45:

- name: collection_interval
  type: text  # Could be: type: duration
  ...

3. RBAC documentation may need nodes/proxy permission

According to upstream docs, when using extra_metadata_labels (like container.id) or node utilization metrics, the RBAC requires access to nodes/proxy in addition to nodes/stats. Consider expanding the RBAC example in docs/README.md:

rules:
- apiGroups: [""]
  resources: ["nodes/stats", "nodes/proxy"]  # nodes/proxy needed for extra_metadata_labels
  verbs: ["get"]

4. Missing tls auth type in k8s_api_config options

The main auth_type field has four options (none, tls, serviceAccount, kubeConfig), but k8s_api_config_auth_type only has three options (missing tls). Based on upstream docs, the K8s API config supports the same auth types.

manifest.yml:119-131:

- name: k8s_api_config_auth_type
  type: select
  options:
    - value: none
      text: None
    - value: serviceAccount  
      text: Service Account
    - value: kubeConfig
      text: Kube Config
    # Consider adding:
    # - value: tls
    #   text: TLS

5. Endpoint default may need adjustment for auth_type: none

The default endpoint is https://localhost:10250 (secure port), but the description mentions port 10255 is used for auth_type: none (read-only). Users selecting none auth would need to manually change the endpoint and protocol to http://localhost:10255.

Consider adding guidance in the description or providing a more explicit warning in the documentation.

⚪ Minor Observations

• The logo SVG looks like a Kubernetes helm logo - which is appropriate for kubelet stats
• Changelog properly links to the originating issue #17140
• The _dev/build/docs/README.md and docs/README.md files are identical (expected for packages without template variables)

Summary

This is a solid contribution that correctly implements the kubeletstats receiver. The suggestions above are all non-blocking improvements. The package is ready for merge from my perspective, though you may want to address the tls auth type omission in k8s_api_config if upstream supports it.

---

🤖 Review performed by Claude | View job run

[github-actions]

This is a well-structured new OTel input package for Kubelet Stats. The package follows the established patterns for input packages in this repository.

The template correctly handles the complex conditional logic for network interface collection and TLS configuration. The policy test validates the default configuration correctly.

One minor documentation improvement suggested (LOW severity, non-blocking).

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

This PR adds a well-structured OpenTelemetry input package for collecting Kubelet stats. The implementation follows established patterns used by other OTel input packages in this repository.

The package correctly:

• Defines the kubeletstatsreceiver configuration with appropriate variables
• Supports multiple authentication methods (serviceAccount, TLS, kubeConfig, none)
• Includes proper policy tests
• Provides comprehensive documentation

Two low-severity suggestions are provided as inline comments:

1. The endpoint description could be clarified regarding the port/protocol differences
2. The build template should include the generatedHeader directive for consistency

CI is passing and the package builds successfully.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The package has a build issue that causes elastic-package lint to fail:

Primary Issue: The docs/README.md file is out of sync with the _dev/build/docs/README.md template. It appears that the docs/README.md was manually edited with additional content (extra metadata labels section, Kubernetes API configuration, node utilization metrics, kubeConfig authentication example) instead of being generated from the template.

Resolution: Either:

1. Copy the additional documentation content from docs/README.md to _dev/build/docs/README.md, then run elastic-package build to regenerate docs/README.md, OR
2. Delete docs/README.md and run elastic-package build to regenerate it from the template (if the simpler template documentation is acceptable)

After resolving, verify with elastic-package lint that the package passes validation.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[kpollich]

@claude Please give this PR another thorough review.

[github-actions]

Claude finished @kpollich's task in 1m 41s —— View job

---

Reviewing PR

• Get repository context
• View PR diff and changes
• Review code for issues
• Submit review

I've submitted my review requesting changes. The main issue is that docs/README.md is out of sync with the build template, causing CI to fail. See the review details for specifics.

---

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The package structure and configuration coverage are good, but there is a blocking issue that must be fixed before merge:

Must Fix:
The docs/README.md file is out of sync with _dev/build/docs/README.md. The docs file contains additional content (extra metadata labels section, Kubernetes API configuration, node utilization metrics documentation) that was manually added instead of being added to the build template. This causes elastic-package lint to fail.

To resolve: Copy the additional documentation content from docs/README.md to _dev/build/docs/README.md, then run elastic-package build to regenerate docs/README.md from the template.

Minor Observation:
The package has been updated to use type: duration for interval fields (which is good), and the manifest now includes the tls option in the k8s_api_config_auth_type select field. These improvements from earlier feedback have been addressed.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The package follows established patterns for OTel input packages and is well-structured. The template conditionals for the optional metrics block (lines 64-104 in input.yml.hbs) are complex but functionally correct. Configuration options appropriately mirror the upstream kubeletstatsreceiver options. No security, correctness, or significant quality issues identified.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

This PR adds a well-structured OpenTelemetry input package for collecting Kubernetes metrics from the Kubelet API.

The package follows established patterns for OTel input packages in this repository:

• Correct manifest structure with appropriate variables for authentication (serviceAccount, TLS, kubeConfig, none)
• Proper Handlebars template for generating OTel collector configuration
• Policy tests that validate the expected output
• Comprehensive documentation covering configuration, RBAC requirements, and troubleshooting

No blocking issues identified.

The code passes linting and builds successfully. The complex conditional logic in the input template for optional metrics is correctly implemented, though somewhat verbose. The TLS configuration follows the upstream kubeletstatsreceiver format.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[strawgate]

@claude can you look at all the review comments and resolve them if they're already taken care of?

[github-actions]

Claude finished @strawgate's task in 1m 24s —— View job

---

Checking Review Comments

• Get repository context
• View all unresolved review threads (found 8)
• Check current state of files for each comment
• Resolve threads that have been addressed

Summary:

Resolved 3 threads that were already addressed:

1. ✅ manifest.yml:35 - Endpoint description already mentions both ports (10255 for auth_type none, 10250 for authenticated methods)
2. ✅ docs/README.md:1 - Both README files are now identical and in sync
3. ✅ docs/README.md:1 (duplicate thread) - Same as above

5 threads remain unresolved (not yet addressed):

1. manifest.yml:103 (x2 duplicate threads) - Description still says "Comma-separated list" but with multi: true, this should be changed
2. _dev/build/docs/README.md:1 - Missing {{- generatedHeader }} directive
3. _dev/build/docs/README.md:69 (x2 duplicate threads) - Collection interval example shows 10s but manifest default is 20s

---

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[mrodm]

Would it be posible to add a system test here ?

Looking at the current kubernetes integration package seems that there are some datastreams there that are testing kubelet too:
https://github.com/elastic/integrations/blob/a6223f4e9fb317405acf5fdc8e04b88941ce5594/packages/kubernetes/_dev/build/docs/kubelet.md

As a context, these tests spin up a K8s cluster via kind.

IIUC that package, it would be adding the _dev/deploy/k8s folder with just an .empty file (to force using the k8s deployer). With that it would be needed to add a system test.

This would be the system test for that datastream in the kubernetes integration package: https://github.com/elastic/integrations/blob/a6223f4e9fb317405acf5fdc8e04b88941ce5594/packages/kubernetes/data_stream/container/_dev/test/system/test-default-config.yml

[mrodm]

Reading the documentation of the receiver, it looks like it is required to create some resources to be able to receive these stats metrics:

https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/kubeletstatsreceiver#role-based-access-control

The kubernetes resources needed can be defined in YAML files under the _dev/deploy/k8s/ folder.

[kpollich]

@claude Please take a look at @mrodm's review above and address it. Use the linked examples in the comment to add system tests for the kubeletstats_receiver input package. Ensure the tests pass when run via elastic-package test system

[github-actions]

Claude finished @kpollich's task in 8m 43s —— View job

---

Adding System Tests for Kubelet Stats Package

• Get repository context
• Understand the existing system test patterns
• Review the linked examples from the kubernetes integration
• Add system tests for kubeletstats_otel package
  • Create _dev/deploy/k8s/.empty directory
  • Create system test configuration
• Run and verify tests pass
• Commit and push changes

Summary:
Added system tests for the kubeletstats_otel package based on the patterns from the kubernetes integration package. The tests:

1. Created _dev/deploy/k8s/.empty to enable the Kubernetes deployer (spins up a kind cluster)
2. Added _dev/test/system/test-default-config.yml with configuration for service account authentication to the Kubelet API

The tests have been verified to pass locally via elastic-package test system - the package successfully collects kubelet stats metrics from the kind cluster.

Commit: e27647f

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
|

[kpollich]

@claude Please create detailed manual testing instructions for the kubeletstatus_receiver input package added in this PR and add them to the description. An engineering reviewing this PR should be able to follow the testing steps to install the input package, run it via Elastic Agent, and ingest some data from a local Kubernetes cluster.

[github-actions]

Claude finished @kpollich's task in 2m 39s —— View job

---

Creating Manual Testing Instructions

• Get repository context
• Review the kubeletstats_otel package structure
• Research testing patterns for similar packages
• Create detailed manual testing instructions
• Update PR description with testing instructions

Summary:

I've added comprehensive manual testing instructions to the PR description. The instructions cover:

1. Prerequisites - Required tools (Docker, kind, kubectl, elastic-package)
2. Step 1: Start the Elastic Stack - Using elastic-package to spin up a local stack
3. Step 2: Build and Install the Package - Building and installing the kubeletstats_otel package
4. Step 3: Create a Kubernetes Cluster - Setting up a kind cluster for testing
5. Step 4: Deploy Elastic Agent - Creating the agent policy, adding the integration, setting up RBAC, and deploying the agent as a DaemonSet
6. Step 5: Verify Data Ingestion - Checking agent status and querying for kubelet stats metrics
7. Step 6: Automated System Tests - How to run the included system tests
8. Cleanup - Commands to tear down the test environment
9. Troubleshooting - Common issues and solutions

The instructions should enable a reviewer to follow along and verify that the package correctly ingests kubelet stats metrics from a local Kubernetes cluster.

View updated PR description

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

The test file test-k8s-api-config.expected has a component ID mismatch that will cause policy tests to fail. The processor is defined as transform/componentid-1 but the pipeline (line 62) references transform/componentid-0.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

This is a well-structured input package that follows established patterns from similar OTel packages in the repository.

Unresolved Discussion Items:
Several open discussion threads need author/reviewer decisions before merge:

1. Endpoint default value (line 36-38): The current default https://localhost:10250 requires users to always override it. Consider using an environment variable default like https://${env:K8S_NODE_IP}:10250 per the discussion thread, which would work out-of-the-box in typical Kubernetes deployments.

2. metric_groups default (line 100-108): While @mrodm noted upstream defaults cover this, having explicit defaults in the manifest improves discoverability and documentation.

3. metrics YAML field (line 145-160): The field was added for advanced configuration. Awaiting decision on whether to keep it in the initial release.

No blocking technical issues were identified in this review.

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 31ba839

History

• 💚 Build #37839 succeeded 6df74eb
• 💚 Build #37836 succeeded 7cc9cfb
• 💚 Build #37827 succeeded c935555
• 💔 Build #37739 failed 7118e4c
• 💔 Build #37738 failed 0510501
• 💚 Build #37728 succeeded 2b72562

cc @mrodm @kpollich

[teresaromero]

👍🏻 nice testing!!

[elastic-vault-github-plugin-prod]

Package kubeletstats_input_otel - 0.1.0 containing this change is available at https://epr.elastic.co/package/kubeletstats_input_otel/0.1.0/