Filebeat kubernets api metadata isnt optional

So I decided to test out what happens if filebeat could not access the k8s API, by giving it no reading access to the API, hoping that filebeat will send the logs without kubernetes metadata. But I observed that it will not send the logs unless it has the metadata. Is this intended? I figured it would make more sense to carry on sending the logs without this enhancement.

{"time":"2018-06-01T16:32:04.950783-04:00","log":"2018-06-01T20:32:04.950Z#011INFO#011kubernetes\/watcher.go:140#011kubernetes: Watching API for pod events"}
{"time":"2018-06-01T16:32:04.951133-04:00","log":"2018-06-01T20:32:04.950Z#011ERROR#011kubernetes\/watcher.go:145#011kubernetes: Watching API error kubernetes api: Failure 403 pods is forbidden: Ubeat-user\" cannot watch pods at the cluster scope"}
{"time":"2018-06-01T16:32:04.951374-04:00","log":"2018-06-01T20:32:04.950Z#011INFO#011kubernetes\/watcher.go:140#011kubernetes: Watching API for pod events"}
{"time":"2018-06-01T16:32:04.952057-04:00","log":"2018-06-01T20:32:04.951Z#011ERROR#011kubernetes\/watcher.go:145#011kubernetes: Watching API error kubernetes api: Failure 403 pods is forbidden: Ubeat-user\" cannot watch pods at the cluster scope"}

I managed to do this, by making a service account that doesn't have appropriate access that filebeat requires.

Hi @shane99a,

If this is the case, that should be considered a bug, the expected behavior is what you describe (send them without the metadata). Could you please provide all the steps to test this? Perhaps you can do that in a new issue in github: https://github.com/elastic/beats/issues/new

Thank you for taking the time to test and provide feedback!

Best regards

Thanks, I logged a ticket: https://github.com/elastic/beats/issues/7252. I am using Filebeat 6.2.3 if that makes a difference.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.