[Metricbeat][Kubernetes] Remove mandatory permissions for namespace and node

[constanca-m]

Proposed commit message

Issue of the PR is #37179.

Currently, we need to have permissions for namespace and nodes, because we create watchers for these resources.
This makes the option add_resource_metadata.*.enabled useless in this case.

To fix this issue, we need to prevent the creation of watchers in two places:

• When using autodiscover
  • In this case, we also need to make sure hints.enabled is set to false. Otherwise, the watchers will be created.
• When creating the enrichers
  • Only create the namespace watcher if add_resource_metadata.namespace.enabled is set to true
  • Do the same for node
  • Exception: if state_namespace is enabled, then we create the watcher for that resource, regardless of the block add_resource_metadata. Same for node metricsets.

This means having this in the configuration of the kubernetes provider:

add_resource_metadata:
    namespace:
      enabled: false
      node: false

And making sure:

hints.enabled: false

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

1. Clone this branch.
2. Deploy the metricbeat built from this branch in a kubernetes cluster.
3. Make sure to remove namespace permissions from the ClusterRole.

Configure the provider as:

metricbeat.autodiscover:
  providers:
    - type: kubernetes
      hints.enabled: false
      add_resource_metadata:
        namespace:
          enabled: false
        node:
          enabled: false

Results

We no longer have logs with:

W0408 10:14:45.477767       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metricbeat" cannot list resource "namespaces" in API group "" at the cluster scope
E0408 10:14:45.477909       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.4/tools/cache/reflector.go:167: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metricbeat" cannot list resource "namespaces" in API group "" at the cluster scope

Related issues

• Closes [Metricbeat Autodiscover] Provider Kubernetes always creates watcher for namespaces and nodes  #37179

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @constanca-m? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b namespace-permissions upstream/namespace-permissions
git merge upstream/main
git push upstream namespace-permissions

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 172 min 32 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[tetianakravchenko]

is it needed to set explicitly? by default it is already true, no?

[constanca-m]

By default is true, yes, but in this case we need to at it explicitly because the config is not unpacking the default one, like we now are doing for pod_test and service_test.

[gizas]

This made think of the scenario:
a) kubernetes.provider has add_resource.metadata.namespace.enabled: false and the module add_resource.metadata.namespace.enabled: true --> This means that the watcher will start. Always the module config is more specific correct?

[constanca-m]

Yes, I believe the flow is provider > module > metricset.

[MichaelKatsoulis]

If you are talking about kubernetes module, it does not use the kubernetes provider. The kubernetes autodiscover provider can be used to start different modules (like nginx based on hints or templates) and also is used in log collection.

[gizas]

Do we actually need config.Hints.Enabled()?
Especially that now metaConf.Namespace has default value true?

[constanca-m]

Maybe not, but we had this before and I think changing it could be a breaking change, correct?

[constanca-m]

After today's meeting, we decided the following:

• The resource of each metricset takes priority over the metadata. This means that:
  • If namespace metadata is disabled and state_namespace is enabled, then the namespace watcher is created
  • If node metadata is disabled and state_node or node is enabled, then the node watcher is created

[MichaelKatsoulis]

@constanca-m The add_kubernetes_metadata processor also includes the add_resource_metdata in its configuration. The processor also creates namespaceWatcher in all cases . We should tackle this as well.

beats/libbeat/processors/add_kubernetes_metadata/kubernetes.go

Line 210 in 0d3a8b6

namespaceWatcher, err := kubernetes.NewNamedWatcher("add_kubernetes_metadata_namespace", client, &kubernetes.Namespace{}, kubernetes.WatchOptions{

[constanca-m]

Thank you @MichaelKatsoulis. I added the condition for both namespace and node watchers in the latest commit.

[MichaelKatsoulis]

Good to go. Just a small change in the changelog description.

[blakerouse]

Overall change is mechanical. Looks good to me!