Initial commit for setting up a new component: k8slog receiver

[h0cheung]

Description:

k8slog receiver provides full functionality to collect logs in k8s containers. It is an all-in-one solution, which supports to:

• collect logs from files inside k8s containers via daemonset
• support docker and cri-containerd
• support many docker graph drivers / snapshotters
• collect logs from stdout of k8s containers via daemonset
• filter containers by metadata
• extract metadata of containers
• collect file logs in k8s containers via sidecar

If we want to collect logs from k8s, we can use this component.

Link to tracking Issue:

#23339

Testing:

Tests for unmarshaling configuration have been added.

Documentation:

Docs for configurations and overall design has been added.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[h0cheung]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

remove stale

[dmitryax]

Are all of the configuration options required for the initial implementation? Can you remove them for now and add them along with the functionality using them going forward?

[TylerHelmuth]

I agree, starting small will make things easier to review and get started and we can always add them in the future.

[TylerHelmuth]

@h0cheung I am very excited about this component, sorry I didn't see your proposal sooner. @dmitryax thanks for pointing it out.

[TylerHelmuth]

Lets not introduce expr filtering to start. The other filter options you've provided are quite extensive. For expression language filtering I'd prefer we use OTTL.

[TylerHelmuth]

You can add me here as well

[h0cheung]

OK, I will do it soon.

[ChrsMark]

Hey @TylerHelmuth @h0cheung , I will be more than happy to help reviewing/testing and maintaining this component. In this, feel free to add me into the list as well if that's ok already.

[TylerHelmuth]

I agree, starting small will make things easier to review and get started and we can always add them in the future.

[h0cheung]

@TylerHelmuth @dmitryax I've simplified the configs and added Tyler Helmuth to the code owner. Could you please have a look at this?

[TylerHelmuth]

I don't think we should allow extracting from env variables, that feels like a security risk.

[h0cheung]

OtelEnv has been removed.
However, Env is needed in some cases. For example, if there are some environment variables in the docker image, there is no other way to get it.
Is this really risky? resourcedetection supports it, and this component gets k8s node name from environment variables, too.

[TylerHelmuth]

Using an env var to filter feels ok. But this section is for taking fields from the pod and adding them as resource attributes to the log right?

[h0cheung]

Getting attributes from environment variables is useful, and many components support it such as resoucedetection

Are there any reports of security risks associated with reading environment variables as strings and adding them to data?

[TylerHelmuth]

The risk is exposing apikey/password information, but that risk is lowered if the config only allows static strings. If we do allow this I think we can do all env vars with 1 config option, no need to split out OTel env vars.

[h0cheung]

By default, the env config is empty, and no variable will be exposed. When a user set this, he should know what he is doing.

It seems that otel_env is necessary, so I've removed it in the latest commit.

[TylerHelmuth]

@dmitryax do you have an opinion?

[h0cheung]

Any updates for this?

[TylerHelmuth]

Lets move forward with this allowed as we've discussed.

[ChrsMark]

I also find it useful to have the option to collect ENV_VAR information from the Pods.
That would give us important information about OTEL specific info like OTEL_SERVICE_NAME.
Having service.name populated in log records collected by the k8slog receiver is quite important since it will allow us to correlate logs with traces using the service.name value.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[atoulme]

@TylerHelmuth fyi is it a good time to review? I'll try my hand at it if possible.

[atoulme]

not blocking, but it'd be nice to have issues to track those?

[atoulme]

Do we need this right away?

Note other components also have built their own filters, such as k8sobjects.

[h0cheung]

This filter is similar to the k8sattributes processor. Many users who want to use this component may be familiar with k8sattributes since it was the previous solution for correlating k8s metadata to logs. This may reduce their migration costs.

[atoulme]

As a first PR it looks like this can land. You could cut down a bit on the filters to bring them back later with more testing, but it's ok to mature them in as well.

[ChrsMark]

It would be nice to mention what functionalities users lose by not being able set these options.

[ChrsMark]

Will the otel container need any special permissions in order to be able to share mounts with the incoming target Pods on the fly?

[h0cheung]

No. It connect to the runtime API.

[ChrsMark]

I'm not sure why we need the whole host's root directory to be mounted. Can't we just focus on /var/log/pods by default for the stdout mode? I guess many users would have concerns if their whole host directory is mounted by default.

[h0cheung]

Yes. But the files under /var/log/pods may be symbol links to paths defined by runtimes, which can also be configured by ops. If they don't mount the whole host's root directory, they must have knowledge about will the files actually live. This may be difficult for users, especially with k8s clusters that mix nodes with different runtimes.

[ChrsMark]

Wouldn't that be better if we chose a reasonable list of directories like /var/log/pods/*, /var/lib/docker/* etc in order to specifically define the possible directories the known runtimes use?
We can even make this list configurable so as advanced users could set their own extra directories if the want.

Mounting the whole host's root directory looks problematic to me and maybe shouldn't be the default.
In GKE Autopilot for example this would not be supported: grafana/loki#9100.

So my suggestion would be to start with reasonable defaults, while also giving the option for more advanced users to extend these defaults.

[ChrsMark]

Can't we just by-pass the extra API call to the runtime and construct the log path based on a default pattern which is more or less known? i.e. /var/log/pods/'<namespace>_<pod_name>_<pod_uid>'/<container_name>/*.log, where namespace, pod_name, pod_uid and container_name are already known from the k8s API.

[h0cheung]

This also works. Datadog is using this way. But:

1. The path is different across k8s versions. Maybe it will also change in future. see https://github.com/DataDog/datadog-agent/blob/0d3dcb9fdb96e8a9d1810bb041d2dae6250372f8/pkg/logs/launchers/container/tailerfactory/file.go#L239
2. Some runtime API will directly return the actual path, which reduces resolving symbol links.
3. If we bypass extra API, it will be complex to get environment variables defined by downward api.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

[h0cheung]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

remove stale