Today, I:
- switched to a custom service account with reduced scopes for my node pool as per https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_service_accounts_for_your_nodes
- enabled metadata concealment as per https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#conceal_node_metadata_beta.
I have been and am still using Stackdriver Logging.
Since making the changes above, my container log fields only contain empty strings for the fields "resource.labels.cluster_name", "resource.labels.instance_id", and "resource.labels.zone". I suspect that my new service account doesn't have sufficient permissions to obtain these, and/or metadata concealment prevents fluentd from obtaining the information to fill into these fields.
Did anyone else experience this before and/or knows how to get these fields filled in again?
FYI, these are the roles configured for my node service account in IAM:
Stackdriver Debugger Agent
Stackdriver Profiler Agent
Cloud Trace Agent
Errors Writer
Logs Writer
Monitoring Metric Writer
Monitoring Viewer
Quota Viewer
Service Controller
Thanks,
Daniel