filter_kubernetes: use service account issuer to detect EKS env

[movence]

Background

Explored Related introduced filter_kubernetes to add Kubernetes metadata to logs and metrics. The filter historically relied on the presence of the aws-auth ConfigMap to determine if the cluster is running on Amazon EKS. However, with the launch of EKS access entries, the aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters.

Problem

With the launch of EKS access entries, aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters. Missing ConfigMap causes two issues:

• Noisy audit logs: Generates 404 not found errors in k8s audit logs when the aws-auth ConfigMap doesn't exist
• Incorrect platform tagging: EKS clusters using access entries (API ) are falsely tagged as Generic or K8s platform instead of AWS::EKS for "Explore Related" functionality

NA

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

application-log.conf: |
          [INPUT]
            Name                tail
            Tag                 application.*
            Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
            Path                /var/log/containers/*.log
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_container.db
            Mem_Buf_Limit       50MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Rotate_Wait         30
            storage.type        filesystem
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/fluent-bit*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_log.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/cloudwatch-agent*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_cwagent.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [FILTER]
            Name                aws
            Match               application.*
            enable_entity   true
          
          [FILTER]
            Name                kubernetes
            Match               application.*
            Kube_URL            https://kubernetes.default.svc:443
            Kube_Tag_Prefix     application.var.log.containers.
            Merge_Log           On
            Merge_Log_Key       log_processed
            K8S-Logging.Parser  On
            K8S-Logging.Exclude Off
            Labels              Off
            Annotations         Off
            Use_Kubelet         On
            Kubelet_Port        10250
            Buffer_Size         0
          
          [OUTPUT]
            Name                cloudwatch_logs
            Match               application.*
            region              ${AWS_REGION}
            log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
            log_stream_prefix   ${HOST_NAME}-
            auto_create_group   true
            extra_user_agent    container-insights

• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • More reliable detection of AWS EKS by inspecting the service account token issuer, improving behavior in restricted clusters.

• Bug Fixes

  • Removes dependence on cluster config objects for platform detection, reducing permission needs and misdetection risk.
  • Improved error handling, parsing robustness, and resource cleanup during detection.

• Documentation

  • Updated comments describing the new EKS detection approach.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Replaced ConfigMap-based EKS detection with serviceaccount JWT issuer inspection and removed the exported AWS_AUTH_CONFIG_MAP macro. determine_platform now reads the serviceaccount token, parses the JWT payload, base64-decodes it, extracts the "iss" field, and matches EKS OIDC URL patterns. (≤50 words)

Changes

Cohort / File(s)	Summary
Platform detection via JWT issuer plugins/filter_kubernetes/kubernetes_aws.c	Rewrote determine_platform to read the serviceaccount token file, validate/split the JWT (header.payload.signature), base64-decode the payload, extract the "iss" field, match EKS OIDC patterns (oidc.eks.*.amazonaws.com/id/...), and return 1 for EKS or -1 on failures; added error handling and memory cleanup.
Public macro cleanup plugins/filter_kubernetes/kube_conf.h	Removed exported macro AWS_AUTH_CONFIG_MAP (previously "aws-auth") and updated comment to describe issuer-based verification via serviceaccount token instead of ConfigMap lookup.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant FLB as Fluent Bit
  participant K8S as kubernetes_aws.c
  participant FS as Filesystem

  Note right of K8S #F0F4FF: determine_platform(ctx)
  K8S->>FS: read serviceaccount token file
  alt read fails
    K8S-->>FLB: return -1
  else token read
    K8S->>K8S: split JWT (header.payload.signature)
    alt malformed JWT
      K8S-->>FLB: return -1
    else JWT ok
      K8S->>K8S: base64-decode payload
      alt decode fails
        K8S-->>FLB: return -1
      else decoded payload
        K8S->>K8S: extract "iss" value
        alt issuer matches oidc.eks.*.amazonaws.com/id/...
          Note right of K8S #DFF2E1: EKS detected
          K8S-->>FLB: return 1
        else no match
          K8S-->>FLB: return -1
        end
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• koleini
• fujimotos

Poem

I nibble tokens, hop through JWTs bright,
Base64 crumbs guide me through the night.
ConfigMaps folded, issuer leads the way—
EKS whispers hidden in the OIDC bay. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly summarizes the primary change by indicating that the filter_kubernetes plugin will now use the service account issuer to detect EKS environments, which directly reflects the core modifications in the PR. It is concise, specific, and avoids unnecessary details or noise. Team members scanning history will immediately understand the intent and scope of this update.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a27fbf and 1c0104a.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kube_conf.h

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (4)

plugins/filter_kubernetes/kubernetes_aws.c (4)

26-26: LGTM!

The include is necessary for flb_utils_read_file used at line 297.

---

296-300: LGTM!

Token file reading with proper error handling.

---

302-313: LGTM!

JWT structure validation correctly identifies the three-part format (header.payload.signature).

---

315-325: LGTM!

Payload extraction logic correctly isolates the JWT's middle segment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

[chatgpt-codex-connector]

Decode service account JWT with standard Base64

determine_platform decodes the service account token payload via flb_base64_decode, which only accepts standard Base64 characters (+ and /) and padding. Kubernetes service-account tokens are JWTs encoded with Base64URL (- and _, typically unpadded), so this call fails with FLB_BASE64_ERR_INVALID_CHARACTER and the function always returns -1. As a result EKS environments are never detected and the platform stays k8s, breaking Explore Related tagging on EKS clusters. Use a Base64URL decoder or normalize the payload before decoding.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

plugins/filter_kubernetes/kubernetes_aws.c (1)

297-300: Validate token_size after reading the Kubernetes token
Token constant is defined (kube_meta.h:55). Add a check that token_size > 0 and token_size <= FLB_KUBE_TOKEN_BUF_SIZE before using the buffer to guard against empty or overly large token reads.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 912b7d7 and 721ae39.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (5)

plugins/filter_kubernetes/kube_conf.h (1)

77-80: LGTM!

The updated comment accurately reflects the new platform detection approach using serviceaccount token issuer inspection. The removal of the AWS_AUTH_CONFIG_MAP macro (mentioned in the summary) aligns with the shift away from ConfigMap-based detection.

plugins/filter_kubernetes/kubernetes_aws.c (4)

26-26: LGTM!

The inclusion of flb_utils.h is necessary for the flb_utils_read_file function used in the new platform detection logic.

---

302-313: LGTM!

The JWT structure validation correctly checks for the expected three-part format (header.payload.signature) and properly handles cleanup on parse failures.

---

315-346: Locate flb_base64_decode implementation.

Run:

#!/bin/bash
rg -n "flb_base64_decode" -g '*.c' -g '*.h' -C3

---

286-386: No changes needed for determine_platform return handling.

The only caller in kube_meta.c correctly treats ret == -1 as non-EKS and all other values (i.e. 1) as EKS.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Replace manual JSON parsing with a proper parser.

The current string-based parsing for the "iss" field is fragile and may fail or produce false positives in the following scenarios:

• The "iss" field appears in a nested JSON object
• The issuer value contains escaped quotes
• Another field name contains "iss" as a substring (e.g., "missing")

Since the file already includes flb_jsmn.h (line 23), use the jsmn JSON parser for robust and reliable extraction of the issuer field.

Consider applying this approach:

/* Parse JSON payload using jsmn */
jsmn_parser parser;
jsmntok_t tokens[64];  /* Adjust size as needed */
int token_count;

jsmn_init(&parser);
token_count = jsmn_parse(&parser, payload, payload_len, tokens, sizeof(tokens)/sizeof(tokens[0]));

if (token_count < 0) {
    flb_free(payload);
    return -1;
}

/* Find and extract "iss" field value */
char *issuer = NULL;
size_t issuer_len = 0;

for (int i = 1; i < token_count; i++) {
    if (tokens[i].type == JSMN_STRING && 
        strncmp(payload + tokens[i].start, "iss", tokens[i].end - tokens[i].start) == 0) {
        /* Next token is the value */
        if (i + 1 < token_count && tokens[i + 1].type == JSMN_STRING) {
            issuer = payload + tokens[i + 1].start;
            issuer_len = tokens[i + 1].end - tokens[i + 1].start;
            break;
        }
    }
}

if (!issuer) {
    flb_free(payload);
    return -1;
}

🤖 Prompt for AI Agents

plugins/filter_kubernetes/kubernetes_aws.c lines 347-375: Replace the brittle
string-based "iss" extraction with jsmn parsing: initialize a jsmn_parser, parse
payload using payload_len into a tokens array (resize tokens if needed), check
token_count for errors and free payload on failure, then iterate tokens to find
a JSMN_STRING token whose content exactly equals "iss" (use
tokens[i].start/end), verify the next token exists and is a string, and set
issuer_start = payload + tokens[i+1].start and issuer_end = payload +
tokens[i+1].end; on any failure free payload and return -1; this handles nested
objects and escaped characters correctly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix pattern matching to search within issuer value only.

The current implementation uses strstr(issuer_start, ...) which searches the entire remaining payload string, not just the issuer value between issuer_start and issuer_end. This could produce false positives if the EKS patterns appear elsewhere in the JSON payload after the issuer field.

Apply this diff to limit the pattern search to the issuer value:

-    /* Check if issuer contains EKS OIDC URL pattern */
-    /* EKS OIDC URLs follow pattern: https://oidc.eks.{region}.amazonaws.com/id/{cluster-id} */
-    if (strstr(issuer_start, "oidc.eks.") && strstr(issuer_start, ".amazonaws.com/id/")) {
-        flb_free(payload);
-        return 1; /* EKS detected */
-    }
+    /* Check if issuer contains EKS OIDC URL pattern */
+    /* EKS OIDC URLs follow pattern: https://oidc.eks.{region}.amazonaws.com/id/{cluster-id} */
+    size_t issuer_len = issuer_end - issuer_start;
+    char *issuer_value = flb_strndup(issuer_start, issuer_len);
+    if (!issuer_value) {
+        flb_free(payload);
+        return -1;
+    }
+    
+    int is_eks = (strstr(issuer_value, "oidc.eks.") && strstr(issuer_value, ".amazonaws.com/id/"));
+    flb_free(issuer_value);
+    
+    if (is_eks) {
+        flb_free(payload);
+        return 1; /* EKS detected */
+    }

🤖 Prompt for AI Agents

In plugins/filter_kubernetes/kubernetes_aws.c around lines 377 to 385, the code
currently calls strstr on issuer_start which searches the rest of the payload
and can hit patterns outside the issuer value; instead limit the search to only
the issuer substring between issuer_start and issuer_end. Extract or reference
the issuer value length (issuer_end - issuer_start) and either copy that range
into a NUL-terminated buffer or use a bounded search (e.g., memmem with the
length) to look for "oidc.eks." and ".amazonaws.com/id/" only inside that issuer
value, then free any temporary buffer and return 1 for EKS or -1 otherwise.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 721ae39 and 1a27fbf.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kubernetes_aws.c

🔇 Additional comments (1)

plugins/filter_kubernetes/kube_conf.h (1)

77-80: All references to AWS_AUTH_CONFIG_MAP have been removed
Search for AWS_AUTH_CONFIG_MAP across .c and .h files returned no results, confirming safe removal.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

Clarify comment accuracy regarding namespace usage.

The updated comment states "Namespace and token path used for verifying..." but based on the new JWT issuer inspection approach described in the PR and AI summary, the detection logic only reads and parses the serviceaccount token to check the issuer field—it doesn't appear to query or use the KUBE_SYSTEM_NAMESPACE for platform verification itself.

Please verify whether KUBE_SYSTEM_NAMESPACE is actually utilized in the new detection flow, or if it's a legacy constant that remains for other purposes. If the namespace is no longer part of platform detection, consider updating the comment to reflect this more accurately.

Run the following script to verify how KUBE_SYSTEM_NAMESPACE is used in the codebase:

---

🏁 Script executed:

#!/bin/bash
# Description: Check where KUBE_SYSTEM_NAMESPACE is referenced and how it's used

# Find all references to KUBE_SYSTEM_NAMESPACE
echo "=== References to KUBE_SYSTEM_NAMESPACE ==="
rg -n --type=c --type=h 'KUBE_SYSTEM_NAMESPACE' -A 3 -B 3

echo ""
echo "=== Check if it's used in determine_platform ==="
ast-grep --pattern $'determine_platform($$$) {
  $$$
}'

Length of output: 623

---

Update header comment to reflect JWT issuer–only detection
The KUBE_SYSTEM_NAMESPACE constant isn’t referenced by the new platform-detection logic; revise the comment to mention only the serviceaccount token path and issuer inspection.

🤖 Prompt for AI Agents

In plugins/filter_kubernetes/kube_conf.h around lines 77 to 80, the header
comment incorrectly mentions namespace-based detection though the new
platform-detection only checks the serviceaccount token path and inspects the
token issuer; update the comment to remove reference to
namespace/namespace-based detection and state that detection is performed solely
by reading the serviceaccount token and checking its issuer field (JWT
issuer-only detection).