As operators of a multi tenant Kubernetes cluster and operators of the Elastic Stack we want to be able to drop logs by namespace when log rates exceed a certain number. We'd like to control this by adding labels to a namespace and including the drop logic in logstash.
Would PodPresets help here?
They are alpha, not a definitive solution but a work-around.
The proposal sounds not bad, but I'd like to ask, assuming in the namespace there will be a limited set of parent objects (replicasets, statefulsets, daemonsets, jobs), wouldn't it be straightforward to label those parents?
If we were to that extra information for kubernetes object, namespace labels would sit in a somehow different layer from the pod, we would need to discuss it but most probably it would be an opt-in feature. Configuration items like add_namespace_labels: true under the already existing add_kubernetes_metadata feels like complicating the configuration
If parent labeling is not solution you are looking at, would you mind opening an issue at https://github.com/elastic/beats so we can continue there?
PodPresets look interesting, but I don't think they solve the issue I'm chasing.
You definitely can add labels to the parent objects like a deployment and have that propagate down to the pod. That works well if the app owner knows ahead of time that they do not want to send log data to elastic. If the label needs to be added after the fact to enforce a logging quota, this would be done by an automated system enforcing quotas or by an operator of the Elastic Stack. It wouldn't be appropriate for that person or system to add a label to the pod spec in a deployment they don't own which would cause pods to be redeployed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.