Skip to content

filter_kubernetes: use service account issuer to detect EKS env #11002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

filter_kubernetes: use service account issuer to detect EKS env #11002

wants to merge 3 commits into from
+115 −11

Conversation

movence
Copy link

@movence movence commented Oct 8, 2025
edited
Loading

Background

Explored Related introduced filter_kubernetes to add Kubernetes metadata to logs and metrics. The filter historically relied on the presence of the aws-auth ConfigMap to determine if the cluster is running on Amazon EKS. However, with the launch of EKS access entries, the aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters.

Problem

With the launch of EKS access entries, aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters. Missing ConfigMap causes two issues:

  • Noisy audit logs: Generates 404 not found errors in k8s audit logs when the aws-auth ConfigMap doesn't exist
  • Incorrect platform tagging: EKS clusters using access entries (API ) are falsely tagged as Generic or K8s platform instead of AWS::EKS for "Explore Related" functionality
NA

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Using an EKS cluster with authemticationMode set to API to prevent aws-auth configmap from being created

# eksctl config
accessConfig:
   authenticationMode: API

Use CloudWatch LogInsights to search application log entries with metadata. Note the value for @entity.Attributes.PlatformType

## using public.ecr.aws/aws-observability/aws-for-fluent-bit:2.33.2
Field	Value
@entity.Attributes.K8s.Cluster	 mixed-133
@entity.Attributes.K8s.Namespace	 amazon-cloudwatch
@entity.Attributes.K8s.Node	 ip-192---.us-west-2.compute.internal
@entity.Attributes.K8s.Workload	 cloudwatch-agent
@entity.Attributes.PlatformType	 K8s

## with the new changes
Field	Value
@entity.Attributes.EKS.Cluster	mixed-133
@entity.Attributes.K8s.Namespace	amazon-cloudwatch
@entity.Attributes.K8s.Node	ip-192---.us-west-2.compute.internal
@entity.Attributes.K8s.Workload	cloudwatch-agent
@entity.Attributes.PlatformType	AWS::EKS
  • Example configuration file for the change
application-log.conf: |
          [INPUT]
            Name                tail
            Tag                 application.*
            Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
            Path                /var/log/containers/*.log
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_container.db
            Mem_Buf_Limit       50MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Rotate_Wait         30
            storage.type        filesystem
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/fluent-bit*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_log.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/cloudwatch-agent*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_cwagent.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [FILTER]
            Name                aws
            Match               application.*
            enable_entity   true
          
          [FILTER]
            Name                kubernetes
            Match               application.*
            Kube_URL            https://kubernetes.default.svc:443
            Kube_Tag_Prefix     application.var.log.containers.
            Merge_Log           On
            Merge_Log_Key       log_processed
            K8S-Logging.Parser  On
            K8S-Logging.Exclude Off
            Labels              Off
            Annotations         Off
            Use_Kubelet         On
            Kubelet_Port        10250
            Buffer_Size         0
          
          [OUTPUT]
            Name                cloudwatch_logs
            Match               application.*
            region              ${AWS_REGION}
            log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
            log_stream_prefix   ${HOST_NAME}-
            auto_create_group   true
            extra_user_agent    container-insights
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • New Features

    • More reliable detection of AWS EKS by inspecting service account token issuer, improving behavior in restricted clusters.

  • Bug Fixes

    • Removed reliance on cluster ConfigMap checks, reducing permission needs and misdetection risk.
    • Improved error handling, parsing robustness, and resource cleanup during detection.

  • Documentation

    • Updated comments to describe the new EKS detection approach.

@coderabbitai
Copy link

coderabbitai bot commented Oct 8, 2025
edited
Loading

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Replaced ConfigMap-based EKS detection with serviceaccount JWT issuer inspection and removed the exported AWS_AUTH_CONFIG_MAP macro. determine_platform now reads the serviceaccount token, parses the JWT payload, base64-decodes it, extracts the "iss" field, and matches EKS OIDC URL patterns. (≤50 words)

Changes

Cohort / File(s) Summary
Platform detection via JWT issuer
plugins/filter_kubernetes/kubernetes_aws.c		 Rewrote determine_platform to read the serviceaccount token file, validate/split the JWT (header.payload.signature), base64-decode the payload, extract the "iss" field, match EKS OIDC patterns (oidc.eks.*.amazonaws.com/id/...), and return 1 for EKS or -1 on failures; added error handling, memory cleanup, and included flb_utils.h.
Public macro cleanup
plugins/filter_kubernetes/kube_conf.h		 Removed exported macro AWS_AUTH_CONFIG_MAP (previously "aws-auth") and updated comment to describe issuer-based verification via serviceaccount token instead of ConfigMap lookup.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant FLB as Fluent Bit
  participant K8S as kubernetes_aws.c
  participant FS as Filesystem

  Note right of K8S #F0F4FF: determine_platform(ctx)
  K8S->>FS: read serviceaccount token file
  alt read fails
    K8S-->>FLB: return -1
  else token read
    K8S->>K8S: split JWT (header.payload.signature)
    alt malformed JWT
      K8S-->>FLB: return -1
    else JWT ok
      K8S->>K8S: base64-decode payload
      alt decode fails
        K8S-->>FLB: return -1
      else decoded payload
        K8S->>K8S: extract "iss" value
        alt issuer matches oidc.eks.*.amazonaws.com/id/...
          Note right of K8S #DFF2E1: EKS detected
          K8S-->>FLB: return 1
        else no match
          K8S-->>FLB: return -1
        end
      end
    end
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

  • koleini
  • fujimotos

Poem

I nibble tokens hidden in a stream,
I split JWTs to chase a dream.
Base64 crumbs and an "iss" that's true,
I hop to EKS — a quiet clue. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The pull request title "filter_kubernetes: use service account issuer to detect EKS env" accurately and concisely describes the primary change in the changeset. The PR changes the EKS detection mechanism from inspecting the aws-auth ConfigMap to inspecting the Kubernetes service account token issuer, which is exactly what the title conveys. The title is clear, specific, and free of vague language or noise, allowing a teammate reviewing the git history to immediately understand the main purpose of the change. The title is directly supported by the modifications across both affected files (removing the AWS_AUTH_CONFIG_MAP macro and implementing issuer-based detection logic).
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Oct 8, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

coderabbitai[bot]
coderabbitai bot reviewed Oct 8, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
plugins/filter_kubernetes/kubernetes_aws.c (1)

297-300: Validate token_size after reading the Kubernetes token
Token constant is defined (kube_meta.h:55). Add a check that token_size > 0 and token_size <= FLB_KUBE_TOKEN_BUF_SIZE before using the buffer to guard against empty or overly large token reads.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 912b7d7 and 721ae39.

📒 Files selected for processing (2)
  • plugins/filter_kubernetes/kube_conf.h (1 hunks)
  • plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
plugins/filter_kubernetes/kubernetes_aws.c (2)
src/flb_utils.c (1)
  • flb_utils_read_file (1937-1940)
include/fluent-bit/flb_mem.h (1)
  • flb_free (126-128)
🔇 Additional comments (5)
plugins/filter_kubernetes/kube_conf.h (1)

77-80: LGTM!

The updated comment accurately reflects the new platform detection approach using serviceaccount token issuer inspection. The removal of the AWS_AUTH_CONFIG_MAP macro (mentioned in the summary) aligns with the shift away from ConfigMap-based detection.

plugins/filter_kubernetes/kubernetes_aws.c (4)

26-26: LGTM!

The inclusion of flb_utils.h is necessary for the flb_utils_read_file function used in the new platform detection logic.

302-313: LGTM!

The JWT structure validation correctly checks for the expected three-part format (header.payload.signature) and properly handles cleanup on parse failures.

315-346: Locate flb_base64_decode implementation.

Run:

#!/bin/bash
rg -n "flb_base64_decode" -g '*.c' -g '*.h' -C3

286-386: No changes needed for determine_platform return handling.

The only caller in kube_meta.c correctly treats ret == -1 as non-EKS and all other values (i.e. 1) as EKS.

plugins/filter_kubernetes/kubernetes_aws.c
Comment on lines 347 to 375
/* Look for "iss" field in the JSON payload */
issuer_start = strstr(payload, "\"iss\":");
if (!issuer_start) {
flb_free(payload);
return -1;
}

/* Skip to the value part */
issuer_start = strchr(issuer_start, ':');
if (!issuer_start) {
flb_free(payload);
return -1;
}
return -1;
issuer_start++;

/* Skip whitespace and opening quote */
while (*issuer_start == ' ' || *issuer_start == '\t') issuer_start++;
if (*issuer_start != '"') {
flb_free(payload);
return -1;
}
issuer_start++;

/* Find closing quote */
issuer_end = strchr(issuer_start, '"');
if (!issuer_end) {
flb_free(payload);
return -1;
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Replace manual JSON parsing with a proper parser.

The current string-based parsing for the "iss" field is fragile and may fail or produce false positives in the following scenarios:

  • The "iss" field appears in a nested JSON object
  • The issuer value contains escaped quotes
  • Another field name contains "iss" as a substring (e.g., "missing")

Since the file already includes flb_jsmn.h (line 23), use the jsmn JSON parser for robust and reliable extraction of the issuer field.

Consider applying this approach:

/* Parse JSON payload using jsmn */
jsmn_parser parser;
jsmntok_t tokens[64];  /* Adjust size as needed */
int token_count;

jsmn_init(&parser);
token_count = jsmn_parse(&parser, payload, payload_len, tokens, sizeof(tokens)/sizeof(tokens[0]));

if (token_count < 0) {
    flb_free(payload);
    return -1;
}

/* Find and extract "iss" field value */
char *issuer = NULL;
size_t issuer_len = 0;

for (int i = 1; i < token_count; i++) {
    if (tokens[i].type == JSMN_STRING && 
        strncmp(payload + tokens[i].start, "iss", tokens[i].end - tokens[i].start) == 0) {
        /* Next token is the value */
        if (i + 1 < token_count && tokens[i + 1].type == JSMN_STRING) {
            issuer = payload + tokens[i + 1].start;
            issuer_len = tokens[i + 1].end - tokens[i + 1].start;
            break;
        }
    }
}

if (!issuer) {
    flb_free(payload);
    return -1;
}
🤖 Prompt for AI Agents 
plugins/filter_kubernetes/kubernetes_aws.c lines 347-375: Replace the brittle
string-based "iss" extraction with jsmn parsing: initialize a jsmn_parser, parse
payload using payload_len into a tokens array (resize tokens if needed), check
token_count for errors and free payload on failure, then iterate tokens to find
a JSMN_STRING token whose content exactly equals "iss" (use
tokens[i].start/end), verify the next token exists and is a string, and set
issuer_start = payload + tokens[i+1].start and issuer_end = payload +
tokens[i+1].end; on any failure free payload and return -1; this handles nested
objects and escaped characters correctly.

@movence movence force-pushed the aws-eks-detection branch from 721ae39 to 1a27fbf Compare October 8, 2025 18:02
coderabbitai[bot]
coderabbitai bot reviewed Oct 8, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 721ae39 and 1a27fbf.

📒 Files selected for processing (2)
  • plugins/filter_kubernetes/kube_conf.h (1 hunks)
  • plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • plugins/filter_kubernetes/kubernetes_aws.c
🔇 Additional comments (1)
plugins/filter_kubernetes/kube_conf.h (1)

77-80: All references to AWS_AUTH_CONFIG_MAP have been removed
Search for AWS_AUTH_CONFIG_MAP across .c and .h files returned no results, confirming safe removal.

@movence movence force-pushed the aws-eks-detection branch from 1a27fbf to 1c0104a Compare October 8, 2025 18:12
zhihonl
zhihonl reviewed Oct 15, 2025
View reviewed changes
plugins/filter_kubernetes/kube_conf.h
* on EKS or native Kubernetes by inspecting serviceaccount token issuer
*/
#define KUBE_SYSTEM_NAMESPACE "kube-system"
#define AWS_AUTH_CONFIG_MAP "aws-auth"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we keep this as a fallback for old clusters? Or does the issuer exist on both old and new cluster so it should just be the definitive mechanism for determining platforms?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good point. We found that the EKS service account issuer was introduced starting with EKS version 1.21, which has been EOL for quite some time now. This gave us confidence to move forward with this approach without a fallback.

@movence
move variables to beginning
8b53611 
Signed-off-by: Hyunsoo Kim <[email protected]>
@edsiper edsiper added this to the Fluent Bit v4.2 milestone Oct 17, 2025
@movence
validate issuer value only
79f7d75 
Signed-off-by: Hyunsoo Kim <[email protected]>
@movence
Copy link
Author

movence commented Oct 23, 2025

Hey @edsiper could you check this out since we've discussed it before?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

+1 more reviewer

@zhihonl zhihonl zhihonl left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit v4.2

Development

Successfully merging this pull request may close these issues.

3 participants

@movence @zhihonl @edsiper