Azure Kubernetes Services - metadata API error

Hi folks,

Apologies if this has already been mentioned, I couldn't find much reference to it.
Would love to get some input as to what the cause of the error might be, as I've not managed to figure it out. I can use filebeat's processors to remove the message as it's causing a bit of noise in our logs, but would rather get to the root of the problem.

I've seen this with Filebeat 6.4.0, 6.3.x and 6.2.4 using the elastic docker images on AKS. I've not yet tried other managed kubernetes services like AWS EKS or Google's GKE, but will update this as I find things out.

I have filebeat running on AKS, sending logs to AWS' ElasticSearch service. Large parts of the kuvernetes manifests have been borrowed from the elastic repo. We are occasionally receiving error messages about attempting to enrich log messages with kubernetes metadata:
kubernetes: Watching API error unexpected EOF.

Any help would be greatly appreciated. Cheers,

Alexander

Here is the filebeat config:

logging.json: true
filebeat.registry_file: /var/lib/filebeat/registry/registry
filebeat.config:
  modules: []
filebeat.inputs:
  - type: docker
    containers.ids:
      - "*"
    processors:
      - add_kubernetes_metadata:
          in_cluster: true
      - drop_event:
          when:
            or:
              - equals:
                  kubernetes.container.name: tunnel-front
              - equals:
                  kubernetes.container.name: azureproxy
              - equals:
                  kubernetes.container.name: redirector
              - contains:
                  kubernetes.container.name: filebeat
              - equals:
                  kubernetes.container.name: kube-proxy
              - equals:
                  kubernetes.container.name: kube-svc-redirect
              - equals:
                  kubernetes.container.name: kube-dns
              - equals:
                  kubernetes.container.name: heapster
              - equals:
                  kubernetes.container.name: main
              - equals:
                  kubernetes.container.name: kubernetes-dashboard
    json.keys_under_root: true
    json.add_error_key: true
    json.ignore_decoding_error: true
output.elasticsearch:
  hosts: ['<redacted>']
  protocol: "https"

Here is the kubernetes manifest:

   ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: filebeat-config
      namespace: default
      labels:
        k8s-app: filebeat
        kubernetes.io/cluster-service: "true"
    data:
      filebeat.yml: |-
        logging.json: true
        filebeat.registry_file: /var/lib/filebeat/registry/registry
        filebeat.config:
          modules: []
        filebeat.inputs:
          - type: docker
            containers.ids:
              - "*"
            processors:
              - add_kubernetes_metadata:
                  in_cluster: true
              - drop_event:
                  when:
                    or:
                      - equals:
                          kubernetes.container.name: tunnel-front
                      - equals:
                          kubernetes.container.name: azureproxy
                      - equals:
                          kubernetes.container.name: redirector
                      - contains:
                          kubernetes.container.name: filebeat
                      - equals:
                          kubernetes.container.name: kube-proxy
                      - equals:
                          kubernetes.container.name: kube-svc-redirect
                      - equals:
                          kubernetes.container.name: kube-dns
                      - equals:
                          kubernetes.container.name: heapster
                      - equals:
                          kubernetes.container.name: main
                      - equals:
                          kubernetes.container.name: kubernetes-dashboard
            json.keys_under_root: true
            json.add_error_key: true
            json.ignore_decoding_error: true
        output.elasticsearch:
          hosts: ['<redacted>']
          protocol: "https"
    ---
    apiVersion: extensions/v1beta1
    kind: DaemonSet
    metadata:
      name: filebeat
      namespace: default
      labels:
        k8s-app: filebeat
        kubernetes.io/cluster-service: "true"
    spec:
      template:
        metadata:
          labels:
            k8s-app: filebeat
            kubernetes.io/cluster-service: "true"
        spec:
          serviceAccountName: filebeat
          terminationGracePeriodSeconds: 30
          containers:
          - name: filebeat
            image: docker.elastic.co/beats/filebeat:6.4.0
            args: [
              "-c", "/etc/filebeat.yml",
              "-e"
            ]
            securityContext:
              runAsUser: 0
            volumeMounts:
            - name: config
              mountPath: /etc/filebeat.yml
              readOnly: true
              subPath: filebeat.yml
              readOnly: true
            - name: data
              mountPath: /usr/share/filebeat/data
            - name: filebeat-registry
              mountPath: /var/lib/filebeat/registry
            - name: varlibdockercontainers
              mountPath: /var/lib/docker/containers
              readOnly: true
          volumes:
          - name: config
            configMap:
              defaultMode: 0600
              name: filebeat-config
          - name: varlibdockercontainers
            hostPath:
              path: /var/lib/docker/containers
          - name: varlog
            hostPath:
              path: /var/log
          - name: data
            hostPath:
              type: DirectoryOrCreate
              path: /usr/share/filebeat/data
          - name: filebeat-registry
            hostPath:
              type: DirectoryOrCreate
              path: /var/lib/filebeat/registry
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
      name: filebeat
    subjects:
    - kind: ServiceAccount
      name: filebeat
      namespace: default
    roleRef:
      kind: ClusterRole
      name: filebeat
      apiGroup: rbac.authorization.k8s.io
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
      name: filebeat
      labels:
        k8s-app: filebeat
    rules:
    - apiGroups: [""] # "" indicates the core API group
      resources:
      - namespaces
      - pods
      verbs:
      - get
      - watch
      - list
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: filebeat
      namespace: default
      labels:
        k8s-app: filebeat
    ---

Hi @ac-astuartkregor,

Thank you for sharing your experience! This error (kubernetes: Watching API error unexpected EOF) may happen from time to time and should be harmless, as Filebeat recovers from it. Is the enriching working for you? Do you experience any issue in the obtained data or overall behavior?

Best regards

1 Like

Hi there @exekias!

Thanks for replying. Ah ok, I was curious to know whether there was something more sinister. As far as I can tell, some if not all the metadata is being successfully applied to the log messages that we get through to ElasticSearch.

Since the error is mostly informational, perhaps it'd be worth discarding those messages if they're causing extra noise.

Many thanks for your feedback!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.