Skip to content

[processor/resourcedetection] Add OIDC issuer and token path checks for EKS detection#45885

Open
Aneurysm9 wants to merge 2 commits intoopen-telemetry:mainfrom
Aneurysm9:fix/isEKSDetection
Open

[processor/resourcedetection] Add OIDC issuer and token path checks for EKS detection#45885
Aneurysm9 wants to merge 2 commits intoopen-telemetry:mainfrom
Aneurysm9:fix/isEKSDetection

Conversation

@Aneurysm9
Copy link
Member

@Aneurysm9 Aneurysm9 commented Feb 4, 2026

EKS changed the gitVersion format in Kubernetes 1.35 (platform version eks.3), removing the -eks- identifier that the detector relied on. This adds multiple fallback detection methods before the gitVersion check:

  1. IRSA token path - AWS_WEB_IDENTITY_TOKEN_FILE contains "eks.amazonaws.com"
  2. Pod Identity token path - AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE contains "eks-pod-identity"
  3. OIDC issuer - API server /.well-known/openid-configuration issuer contains "oidc.eks."
  4. Fallback: gitVersion contains "-eks-" (existing check)

Each positive signal is reasonably conclusive. Errors in earlier checks gracefully fall through to subsequent checks.

Fixes #45866

Description

Link to tracking issue

Fixes

Testing

Documentation

@Aneurysm9 Aneurysm9 requested review from a team and dashpole as code owners February 4, 2026 21:15
@Aneurysm9 Aneurysm9 mentioned this pull request Feb 4, 2026
Open
paulojmdias
paulojmdias approved these changes Feb 4, 2026
View reviewed changes
Copy link
Member

@paulojmdias paulojmdias left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I think we should open an issue to extend the current E2E tests to validate this change.

Please take a look into the CI errors

@Aneurysm9
[processor/resourcedetection] Add OIDC issuer and token path checks f…
c6482f0 
…or EKS detection

EKS changed the `gitVersion` format in Kubernetes 1.35 (platform version eks.3),
removing the `-eks-` identifier that the detector relied on. This adds multiple
fallback detection methods before the `gitVersion` check:

1. IRSA token path - `AWS_WEB_IDENTITY_TOKEN_FILE` contains "eks.amazonaws.com"
2. Pod Identity token path - `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` contains "eks-pod-identity"
3. OIDC issuer - API server `/.well-known/openid-configuration` issuer contains "oidc.eks."
4. Fallback: `gitVersion` contains "-eks-" (existing check)

Each positive signal is reasonably conclusive. Errors in earlier checks
gracefully fall through to subsequent checks.

Fixes open-telemetry#45866

Signed-off-by: Anthony J Mirabella <a9@aneurysm9.com>
@Aneurysm9
Copy link
Member Author

Aneurysm9 commented Feb 4, 2026

Fixed the lint issues. The unit test failure seems to be a flake in groupbytraceprocessor tests unrelated to this change.

@paulojmdias
Copy link
Member

paulojmdias commented Feb 4, 2026

Yeah, just comment /rerun for the pipeline be retried.

Thank you again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dashpole dashpole Awaiting requested review from dashpole dashpole is a code owner

1 more reviewer

@paulojmdias paulojmdias paulojmdias approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@ChrsMark ChrsMark

Labels

internal/metadataproviders processor/resourcedetection Resource detection processor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[processor/resourcedetection] AWS EKS resource detector check returns false for new EKS platform versions

3 participants

@Aneurysm9 @paulojmdias @ChrsMark