Skip to content

filter_kuberntes: fix accidentally removed u in prefix #11365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cosmo0920 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

filter_kuberntes: fix accidentally removed u in prefix #11365

cosmo0920 wants to merge 3 commits into from

Conversation

@cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Jan 13, 2026
edited by coderabbitai bot
Loading

Closes #11322

In the current filter_kubernetes, the pod_name placeholder on regex sometimes causes backtracking and overlooked the beginning letter of u.
With this patch, preventing to execute backtracking and plug the occurrences of missing u prefix in pod_name.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • Bug Fixes

    • Refined Kubernetes pod name matching logic for improved metadata extraction accuracy.
    • Fixed buffer handling to ensure proper null termination in file read operations.

  • Tests

    • Added test coverage for Kubernetes pod naming patterns in UAT environments.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Jan 13, 2026
edited
Loading

📝 Walkthrough

Walkthrough

A regex pattern fix is applied to the Kubernetes filter's pod name extraction logic, changing a capturing group to a non-capturing group. This addresses a bug where pod names starting with "u" lose their first character. A test case with a pod named "uat-myapp-12345" is added to verify the fix.

Changes

Cohort / File(s) Summary
Regex pattern fix
plugins/filter_kubernetes/kube_regex.h		 Updated KUBE_TAG_TO_REGEX macro: replaced capturing group ([-a-z0-9]*[a-z0-9])? with non-capturing group (?:[-a-z0-9]*[a-z0-9])? in the pod_name segment
Test infrastructure
tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json		 Added new Kubernetes Pod manifest test data with pod name "uat-myapp-12345"
Test implementation
tests/runtime/filter_kubernetes.c		 Added flb_test_kube_short_prefix_uat_podname() test function and registered it in TEST_LIST; updated file_to_buf() to null-terminate output buffer

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

  • koleini

Poem

🐰 A pod named "uat" lost its "u" one day,
But our regex caught the pattern astray,
Non-capturing groups save the way,
With tests to prove the bugs away! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title contains a typo ('kuberntes' instead of 'kubernetes') and specifically references fixing a missing 'u' in prefix, which directly aligns with the core issue of pod names starting with 'u' losing that letter.
Linked Issues check ✅ Passed The PR changes (regex fix from capturing to non-capturing group, null terminator addition, and test case) directly address the linked issue #11322 requirement to fix pod names losing the leading 'u' character.
Out of Scope Changes check ✅ Passed All changes are directly scoped to fixing the regex backtracking issue and adding corresponding tests; no unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 797031c and 5fbd345.

⛔ Files ignored due to path filters (2)
  • tests/runtime/data/kubernetes/log/core/core_uat-myapp-12345_fluent-bit.log is excluded by !**/*.log
  • tests/runtime/data/kubernetes/out/core/core_uat-myapp-12345_fluent-bit.out is excluded by !**/*.out
📒 Files selected for processing (3)
  • plugins/filter_kubernetes/kube_regex.h
  • tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json
  • tests/runtime/filter_kubernetes.c
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes generated from pod-template-hash can vary in length and are not always 10 characters. Examples include "9dbdfc456" (9 chars) from "amazon-cloudwatch-observability-controller-manager-9dbdfc456" and "914055854" (9 chars) from "kairosdb-914055854". The DEPLOYMENT_REGEX pattern using {6,10} range for the ID group correctly accommodates this variable length behavior.

Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes are not always 10 characters. The suffix length can vary, as demonstrated by the example "amazon-cloudwatch-observability-controller-manager-9dbdfc456" which has a 9-character suffix. The original DEPLOYMENT_REGEX pattern using {6,10} range for the ID group is more accurate than assuming a fixed 10-character length.

Learnt from: hlein
Repo: fluent/fluent-bit PR: 11168
File: conf/parsers_mult.yaml:8-14
Timestamp: 2025-11-16T22:16:26.032Z
Learning: In Fluent Bit parser configurations (both .conf and .yaml formats), the regex engine automatically strips leading and trailing `/` characters from regex patterns, so patterns like `/Processing by .../` and `Processing by ...` are functionally equivalent and both work correctly.
📚 Learning: 2025-08-14T18:14:41.453Z 
Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes generated from pod-template-hash can vary in length and are not always 10 characters. Examples include "9dbdfc456" (9 chars) from "amazon-cloudwatch-observability-controller-manager-9dbdfc456" and "914055854" (9 chars) from "kairosdb-914055854". The DEPLOYMENT_REGEX pattern using {6,10} range for the ID group correctly accommodates this variable length behavior.

Applied to files:

  • plugins/filter_kubernetes/kube_regex.h
🪛 Checkov (3.2.334)
tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json

[medium] 2-17: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 2-17: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (3)
tests/runtime/filter_kubernetes.c (1)

415-423: No action required—all required fixture files already exist.

The fixture files for kube_short_prefix_uat_podname are present:

  • tests/runtime/data/kubernetes/log/core/core_uat-myapp-12345_fluent-bit.log
  • tests/runtime/data/kubernetes/out/core/core_uat-myapp-12345_fluent-bit.out
  • tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json

The test is properly registered at line 1128 in the test array.

Likely an incorrect or invalid review comment.

tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json (1)

1-16: No action needed—test fixtures are not scanned by any security tool in CI.

This repository uses Trivy (only for container image scanning), not Checkov. The tests/runtime/data/ directory is not gated by any security scanner, and test fixtures do not require production-level security configurations. The fixture is valid as-is.

Likely an incorrect or invalid review comment.

plugins/filter_kubernetes/kube_regex.h (1)

25-25: No action needed – regex extraction uses only named capture groups, not numeric positions.

The code uses flb_regex_parse() with a callback that extracts match values by group name (via strcmp() on "pod_name", "namespace_name", "container_name", "docker_id"), not by numeric capture indices. Non-capturing groups (?:...) do not affect named group extraction, so the change is safe.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cosmo0920 cosmo0920 force-pushed the cosmo0920-fix-accidentally-removed-u-in-prefix branch from 67aa0a2 to ce21b18 Compare January 13, 2026 10:58
@cosmo0920 cosmo0920 force-pushed the cosmo0920-fix-accidentally-removed-u-in-prefix branch from ce21b18 to 9cf4c9f Compare January 13, 2026 11:05
@cosmo0920 cosmo0920 force-pushed the cosmo0920-fix-accidentally-removed-u-in-prefix branch from 50e62c9 to 6343780 Compare January 14, 2026 08:04
@cosmo0920 cosmo0920 force-pushed the cosmo0920-fix-accidentally-removed-u-in-prefix branch from 6343780 to 5fbd345 Compare January 14, 2026 08:06
@cosmo0920 cosmo0920 marked this pull request as ready for review January 14, 2026 10:21
@cosmo0920 cosmo0920 requested a review from edsiper as a code owner January 14, 2026 10:21
@cosmo0920 cosmo0920 added this to the Fluent Bit v5.0 milestone Jan 14, 2026
coderabbitai[bot]
coderabbitai bot reviewed Jan 14, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
tests/runtime/filter_kubernetes.c (1)

71-110: Nice fix adding NUL-termination—consider hardening empty-file handling to avoid underflow in the trim logic.

If an .out file is empty (out_size == 0), p = out_buf + (out_size - 1) underflows; also fread(..., st.st_size, 1, ...) fails for st.st_size == 0.

Suggested hardening 
 static int file_to_buf(const char *path, char **out_buf, size_t *out_size)
 {
     int ret;
-    long bytes;
+    size_t bytes;
     char *buf;
     FILE *fp;
     struct stat st;
+    size_t sz;

     ret = stat(path, &st);
     if (ret == -1) {
         return -1;
     }
+    sz = (size_t) st.st_size;

     fp = fopen(path, "r");
     if (!fp) {
         return -1;
     }

-    buf = flb_malloc(st.st_size + 1);
+    buf = flb_malloc(sz + 1);
     if (!buf) {
         flb_errno();
         fclose(fp);
         return -1;
     }

-    bytes = fread(buf, st.st_size, 1, fp);
-    if (bytes != 1) {
+    bytes = fread(buf, 1, sz, fp);
+    if (bytes != sz) {
         flb_errno();
         flb_free(buf);
         fclose(fp);
         return -1;
     }
-    buf[st.st_size] = '\0';
+    buf[sz] = '\0';

     fclose(fp);
     *out_buf = buf;
-    *out_size = st.st_size;
+    *out_size = sz;

     return 0;
 }

@@
     /* Sanitize content, get rid of ending \n */
-    p = out_buf + (out_size - 1);
-    while (*p == '\n' || *p == '\r') p--;
-    *++p = '\0';
+    p = out_buf + out_size;
+    while (p > out_buf && (p[-1] == '\n' || p[-1] == '\r')) p--;
+    *p = '\0';

Also applies to: 134-139

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 797031c and 5fbd345.

⛔ Files ignored due to path filters (2)
  • tests/runtime/data/kubernetes/log/core/core_uat-myapp-12345_fluent-bit.log is excluded by !**/*.log
  • tests/runtime/data/kubernetes/out/core/core_uat-myapp-12345_fluent-bit.out is excluded by !**/*.out
📒 Files selected for processing (3)
  • plugins/filter_kubernetes/kube_regex.h
  • tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json
  • tests/runtime/filter_kubernetes.c
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes generated from pod-template-hash can vary in length and are not always 10 characters. Examples include "9dbdfc456" (9 chars) from "amazon-cloudwatch-observability-controller-manager-9dbdfc456" and "914055854" (9 chars) from "kairosdb-914055854". The DEPLOYMENT_REGEX pattern using {6,10} range for the ID group correctly accommodates this variable length behavior.

Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes are not always 10 characters. The suffix length can vary, as demonstrated by the example "amazon-cloudwatch-observability-controller-manager-9dbdfc456" which has a 9-character suffix. The original DEPLOYMENT_REGEX pattern using {6,10} range for the ID group is more accurate than assuming a fixed 10-character length.

Learnt from: hlein
Repo: fluent/fluent-bit PR: 11168
File: conf/parsers_mult.yaml:8-14
Timestamp: 2025-11-16T22:16:26.032Z
Learning: In Fluent Bit parser configurations (both .conf and .yaml formats), the regex engine automatically strips leading and trailing `/` characters from regex patterns, so patterns like `/Processing by .../` and `Processing by ...` are functionally equivalent and both work correctly.
📚 Learning: 2025-08-14T18:14:41.453Z 
Learnt from: zhihonl
Repo: fluent/fluent-bit PR: 10586
File: plugins/filter_kubernetes/kube_regex.h:29-29
Timestamp: 2025-08-14T18:14:41.453Z
Learning: Kubernetes ReplicaSet suffixes generated from pod-template-hash can vary in length and are not always 10 characters. Examples include "9dbdfc456" (9 chars) from "amazon-cloudwatch-observability-controller-manager-9dbdfc456" and "914055854" (9 chars) from "kairosdb-914055854". The DEPLOYMENT_REGEX pattern using {6,10} range for the ID group correctly accommodates this variable length behavior.

Applied to files:

  • plugins/filter_kubernetes/kube_regex.h
🪛 Checkov (3.2.334)
tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json

[medium] 2-17: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 2-17: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (3)
tests/runtime/filter_kubernetes.c (1)

415-423: No action required—all required fixture files already exist.

The fixture files for kube_short_prefix_uat_podname are present:

  • tests/runtime/data/kubernetes/log/core/core_uat-myapp-12345_fluent-bit.log
  • tests/runtime/data/kubernetes/out/core/core_uat-myapp-12345_fluent-bit.out
  • tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json

The test is properly registered at line 1128 in the test array.

Likely an incorrect or invalid review comment.

tests/runtime/data/kubernetes/meta/short-prefix-uat-podname.json (1)

1-16: No action needed—test fixtures are not scanned by any security tool in CI.

This repository uses Trivy (only for container image scanning), not Checkov. The tests/runtime/data/ directory is not gated by any security scanner, and test fixtures do not require production-level security configurations. The fixture is valid as-is.

Likely an incorrect or invalid review comment.

plugins/filter_kubernetes/kube_regex.h (1)

25-25: No action needed – regex extraction uses only named capture groups, not numeric positions.

The code uses flb_regex_parse() with a callback that extracts match values by group name (via strcmp() on "pod_name", "namespace_name", "container_name", "docker_id"), not by numeric capture indices. Non-capturing groups (?:...) do not affect named group extraction, so the change is safe.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit v5.0

Development

Successfully merging this pull request may close these issues.

pod name 以字母u开头会缺失

2 participants

@cosmo0920