Description
The kubernetes metadata fields are not added anymore since v7.16 if a field named kubernetes.cluster.name (or any field that starts with kubernetes, I suppose) is statically added to all events with fields and fields_under_root in the config. It is presumably caused by this PR: #27689.
I understand the rationale of the PR, but I think there is room for improvement:
-
First and foremost, nothing appears in the log, which makes the issue really difficult to troubleshoot. It would be great if a warning was logged once, the first time the processor decides to skip adding the metadata (as far as I understand, if logging level is set to
debug, the skipping would be logged for each event, but one warning in the normal logging level would be nice). -
Second, in this particular case, the add_kubernetes_metadata took the decision not to add the metadata even though it wouldn't output the
kubernetes.cluster.namefield anyway (which is why I add it statically in the first place). Maybe the decision to add the metadata fields should be taken field by field, and not for the whole document, ie. fields that are already present in the document are not overwritten, but fields that are not present are added. Maybe this could be configurable, eg. with an option likeoverwrite_existing_metadata: 'always' | 'never' | 'merge', default beingnever(current behaviour).
Here is the filebeat.yml config, just in case:
filebeat.inputs:
- type: container
paths:
- /var/log/containers/*.log
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
matchers:
- logs_path:
logs_path: "/var/log/containers/"
output.elasticsearch:
protocol: https
fields_under_root: true
fields:
kubernetes.cluster.name: "${KUBERNETES_CLUSTER_NAME}"
cloud.provider: "o3"
cloud.availability_zone: "o3"
processors:
- add_host_metadata:
cloud.id: "${ELASTIC_CLOUD_ID}"
cloud.auth: "${ELASTIC_CLOUD_AUTH}"