So I decided to test out what happens if filebeat could not access the k8s API, by giving it no reading access to the API, hoping that filebeat will send the logs without kubernetes metadata. But I observed that it will not send the logs unless it has the metadata. Is this intended? I figured it would make more sense to carry on sending the logs without this enhancement.
{"time":"2018-06-01T16:32:04.950783-04:00","log":"2018-06-01T20:32:04.950Z#011INFO#011kubernetes\/watcher.go:140#011kubernetes: Watching API for pod events"}
{"time":"2018-06-01T16:32:04.951133-04:00","log":"2018-06-01T20:32:04.950Z#011ERROR#011kubernetes\/watcher.go:145#011kubernetes: Watching API error kubernetes api: Failure 403 pods is forbidden: Ubeat-user\" cannot watch pods at the cluster scope"}
{"time":"2018-06-01T16:32:04.951374-04:00","log":"2018-06-01T20:32:04.950Z#011INFO#011kubernetes\/watcher.go:140#011kubernetes: Watching API for pod events"}
{"time":"2018-06-01T16:32:04.952057-04:00","log":"2018-06-01T20:32:04.951Z#011ERROR#011kubernetes\/watcher.go:145#011kubernetes: Watching API error kubernetes api: Failure 403 pods is forbidden: Ubeat-user\" cannot watch pods at the cluster scope"}
I managed to do this, by making a service account that doesn't have appropriate access that filebeat requires.