Filebeat on kubernetes: cant make it work without cluster roles

Hello,

I am trying to deploy a filebeat container (not daemonset) on a k8s cluster (kub 1.21)
Used image: elastic/filebeat:7.8.1

Image starts correctly but i can't have the filebeat working correctly :

E1130 15:47:41.183053 1 reflector.go:125] github.com/elastic/beats/libbeat/common/kubernetes/watcher.go:146: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:xxx:airflow-worker" cannot list resource "pods" in API group "" at the cluster scope

Filebeat always asks for cluster roles (that i dont have cause its a mutualized cluster) and i cant avoid this error, even when trying to use a autodiscover specially on my ns :

  autodiscover:
    providers:
      - type: kubernetes
        namespace: xxx
        templates:
          - condition:
              equals:
                kubernetes.namespace: xxx

Is it impossible to use a filebeat container on K8S without cluster roles on the running Service account ????

Regards,
Guillaume

I don't think so since the bhave to give the pod/filebeat some sort of credentials that's can query the k8s API to pull the data.

is there any existing workaround ? cause this is death sentence of beats on every mutualized cluster where clients dont have clusterroles

No there is no way to interact with a secured k8s cluster without credentials. It's no different than if u try to use kubectl, u have to be authenticated and will only have the privs you've been given.

@legoguy1000 : i am authentified, my question is how to make filebeat sidecar work w/o cluster roles, which means only with namespace limited rights (roles & bindings roles, not clusterRole and clusterBindingRoles

That one I don't know. I've only ever messed with cluster roles.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.