Vector making api requests to Kubernetes API server without using resource_version

[jeremy-mi-rh]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

This is to split issues 16753 to its own.

Context

We use vector to deliver kubernetes_logs to our kafka cluster which will be later processed and ingested into Humio. Vector is deployed as a daemon set in our kubernetes clusteres (each with >1000 nodes running).

We recently had an outage in one of our kubernetes clusters (with ~1100 nodes running). There was a failure in ETCD leader node, which resulted in a cascaded failure where pods making 1000x API calls to our API server which eventually brought the kubernetes control plane down entirely.

In the process of remediation, we identified vector as one of the candidate that was hammering the API server. Shutting down vector along with a few other daemon sets eventually reduced the traffic on Control Plane components, which allows ETCD nodes to recover.

Issue: resource_version not set when making API requests to Kube API server

Based on this issue: #7943, resource_version was set to 0 in vector 0.18 - 0.20. PR #11714 adopted kube-rs and dropped the change in #9974. When looking at the Audit logs from kube-api-server, we don't see the resource_version set in the request URL, which makes us wonder if this was an regression

Sample request in audit logs:

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"xxx","stage":"ResponseComplete","requestURI":"/api/v1/nodes?\u0026fieldSelector=metadata.name%3Dip-10-x-x-x.ec2.internal","verb":"list","user":{"username":"system:serviceaccount:vector:vector-agent","uid":"xxx","groups":["system:serviceaccounts","system:serviceaccounts:vector","system:authenticated"]},"sourceIPs":["10.x.x.x"],"objectRef":{"resource":"nodes","name":"ip-10-x-x-x.ec2.internal","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-03-08T02:29:15.992746Z","stageTimestamp":"2023-03-08T02:29:16.534351Z","annotations":{"authentication.k8s.io/legacy-token":"system:serviceaccount:vector:vector-agent","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"default-reader-role-binding\" of ClusterRole \"cluster-read-all\" to Group \"system:authenticated\""}}

Version

vector 0.27.0 (x86_64-unknown-linux-gnu 5623d1e 2023-01-18)

References

#7943
#16753

[nabokihms]

Opened a PR against kube-rs to allow setting a resource version (for list requests only, for now).
kube-rs/kube#1162

[spencergilbert]

Thanks @nabokihms!

[jeremy-mi-rh]

Thanks @nabokihms !

[yashsarma]

Thanks @nabokihms

[nabokihms]

kube-rs changes have been merged into master branch. Once the new version of the client is out, I will make the changes to vector accordingly.

[nabokihms]

The new option is added to vector.
With use_apiserver_cache=true, it is possible to reduce the control plane pressure significantly.

Under the hood, this option makes vector use resource_version=0 for all initial list requests.

[xiaozongyang]

Hi @nabokihms

We meet the same issue in vector 0.45.0 (x86_64-unknown-linux-gnu 063cabb 2025-02-24 14:52:02.810034614) and the image version is timberio/vector:0.45.0-debian.

We set the option use_apiserver_cache=true, the audit log from the k8s master is as follows. How can we find out the options is working as expected?

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Request",
  "auditID": "0283fc33-d7ed-40db-a1f2-b933aa77c2e8",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/pods?&fieldSelector=spec.nodeName%3D10-188-1-160&labelSelector=vector.dev%2Fexclude%21%3Dtrue&limit=500",
  "verb": "list",
  "user": {
    "username": "system:serviceaccount:vector:vector",
    "uid": "59c7dfce-8b9f-4012-a8fe-12a26d194ab5",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:vector",
      "system:authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/credential-id": [
        "JTI=38f3d642-05cc-4591-af7d-73629ea2da2c"
      ],
      "authentication.kubernetes.io/node-name": [
        "10-188-1-160"
      ],
      "authentication.kubernetes.io/node-uid": [
        "f87e4935-3f7d-4bf4-a53b-4f42f2c2615c"
      ],
      "authentication.kubernetes.io/pod-name": [
        "vector-4trsc"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "83f17f7d-ab97-4771-a1f0-587941785e06"
      ]
    }
  },
  "sourceIPs": [
    "10.188.1.160"
  ],
  "userAgent": "vector/0.45.0",
  "objectRef": {
    "resource": "pods",
    "apiVersion": "v1"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "requestReceivedTimestamp": "2025-04-17T13:09:40.942364Z",
  "stageTimestamp": "2025-04-17T13:09:43.493764Z",
  "annotations": {
    "apiserver.latency.k8s.io/decode-response-object": "1.411585301s",
    "apiserver.latency.k8s.io/etcd": "1.074619603s",
    "apiserver.latency.k8s.io/response-write": "215.432µs",
    "apiserver.latency.k8s.io/serialize-response-object": "1.826429ms",
    "apiserver.latency.k8s.io/total": "2.551400294s",
    "apiserver.latency.k8s.io/transform-response-object": "251ns",
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"vector\" of ClusterRole \"vector\" to ServiceAccount \"vector/vector\""
  }
}

[xiaozongyang]

In the source code referenced as https://github.com/kube-rs/kube/blob/0.93.1/kube-core/src/params.rs#L109, if the resource version is "0" it won't be appended to the request URL.