filter_kubernetes: use service account issuer to detect EKS env (compiler fix)

[edsiper]

This is a dup of #11002 with a little change to make it compile in CentOS

Background

Explored Related introduced filter_kubernetes to add Kubernetes metadata to logs and metrics. The filter historically relied on the presence of the aws-auth ConfigMap to determine if the cluster is running on Amazon EKS. However, with the launch of EKS access entries, the aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters.

Problem

With the launch of EKS access entries, aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters. Missing ConfigMap causes two issues:

• Noisy audit logs: Generates 404 not found errors in k8s audit logs when the aws-auth ConfigMap doesn't exist
• Incorrect platform tagging: EKS clusters using access entries (API ) are falsely tagged as Generic or K8s platform instead of AWS::EKS for "Explore Related" functionality

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

Release Notes

• Refactor
  • Improved AWS EKS platform detection mechanism by shifting from configuration map inspection to service account token issuer verification. This change enhances reliability of environment detection while maintaining compatibility with existing deployments.

[coderabbitai]

Walkthrough

A macro for AWS auth ConfigMap detection was removed and the Kubernetes platform detection logic was replaced. The change shifts from inspecting the aws-auth ConfigMap to analyzing the serviceaccount JWT token issuer field, incorporating JWT extraction, base64url decoding, and JSON payload parsing to identify EKS OIDC issuer patterns.

Changes

Cohort / File(s)	Summary
Header Update plugins/filter_kubernetes/kube_conf.h	Removed public macro AWS_AUTH_CONFIG_MAP and updated surrounding comment to reference JWT token issuer verification.
Platform Detection Logic plugins/filter_kubernetes/kubernetes_aws.c	Replaced ConfigMap-based platform detection with JWT token-based approach; added JWT extraction, base64url decoding, JSON parsing for the "iss" field, and EKS OIDC issuer pattern matching. Includes file I/O for service token reading and enhanced error handling.

Sequence Diagram(s)

sequenceDiagram
    participant Old as Old Flow
    participant New as New Flow
    participant FileSystem
    participant JWT as JWT Parser
    participant OIDC as Pattern Matcher

    rect rgb(240, 248, 255)
    Note over Old: Legacy Approach
    Old->>Old: Query aws-auth ConfigMap
    Old-->>Old: Check ConfigMap presence
    end

    rect rgb(230, 245, 230)
    Note over New: New Approach
    New->>FileSystem: Read serviceaccount token
    FileSystem-->>New: Token content
    New->>JWT: Extract & decode JWT
    JWT-->>New: Payload with "iss" claim
    New->>OIDC: Match oidc.eks.* pattern
    OIDC-->>New: EKS issuer detected (1) or not (-1)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• JWT decoding and base64url handling: Verify correctness of base64url decoding with padding logic
• JSON payload parsing: Confirm the "iss" field extraction and bounds checking are robust
• File I/O and error handling: Ensure proper cleanup of file handles, buffers, and error paths (file not found, allocation failures, malformed tokens)
• OIDC pattern matching: Validate the EKS issuer pattern regex/check for edge cases
• Integration impact: Assess compatibility with existing callers and removal of the ConfigMap macro

Suggested labels

backport to v4.0.x

Suggested reviewers

• fujimotos
• koleini

Poem

🐰 From ConfigMaps we now break free,
JWT tokens hold the key!
Decode and parse with care so true,
EKS patterns shine right through.
OIDC issuer lights the way, ✨
A cleaner check for EKS today!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing aws-auth ConfigMap detection with service account issuer inspection to detect EKS environments, with a compiler fix.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch aws-filter_kubernetes_eks_env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29f41f6 and 773c27e.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (4)

src/flb_record_accessor.c (1)

• flb_ra_create (271-358)

src/flb_hash_table.c (1)

• flb_hash_table_add (401-494)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
• GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: pr-compile-centos-7
• GitHub Check: PR - fuzzing test
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Respect configured token file path in determine_platform()

The new logic hardcodes FLB_KUBE_TOKEN when reading the serviceaccount JWT. Deployments that set Kube_Token_File (populating ctx->token_file) will now fail to read their token, causing determine_platform() to return -1 and misclassify EKS clusters. Please honor the configured path and fall back to the default only when the configuration is unset.

Apply this diff to restore compatibility:

-    ret = flb_utils_read_file(FLB_KUBE_TOKEN, &token_buf, &token_size);
+    const char *token_path = ctx->token_file ? ctx->token_file : FLB_KUBE_TOKEN;
+
+    ret = flb_utils_read_file((char *) token_path, &token_buf, &token_size);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ret = flb_utils_read_file(FLB_KUBE_TOKEN, &token_buf, &token_size);
	if (ret != 0 || !token_buf) {
	return -1;
	}
	/* JWT tokens have 3 parts separated by dots: header.payload.signature */
	first_dot = strchr(token_buf, '.');
	if (!first_dot) {
	flb_free(token_buf);
	return -1;
	}
	second_dot = strchr(first_dot + 1, '.');
	if (!second_dot) {
	flb_free(token_buf);
	return -1;
	}
	const char *token_path = ctx->token_file ? ctx->token_file : FLB_KUBE_TOKEN;
	ret = flb_utils_read_file((char *) token_path, &token_buf, &token_size);
	if (ret != 0 || !token_buf) {
	return -1;
	}
	/* JWT tokens have 3 parts separated by dots: header.payload.signature */
	first_dot = strchr(token_buf, '.');
	if (!first_dot) {
	flb_free(token_buf);
	return -1;
	}
	second_dot = strchr(first_dot + 1, '.');
	if (!second_dot) {
	flb_free(token_buf);
	return -1;
	}