how kubernetes sidecars break your observability (and how to fix it without rewriting your stack)

@pilput

8 months ago0views

why kubernetes sidecars are a double-edged sword for observability

kubernetes sidecars are a powerful pattern for extending container functionality without modifying the main application. they handle logging, monitoring, networking, and more—but they can also silently break your observability. if you're a devops engineer, full-stack developer, or sre, you've likely faced this: metrics disappear, logs get fragmented, or traces break unexpectedly. the culprit? often, it's the sidecar you added to "simplify" things.

in this guide, we’ll break down:

how sidecars disrupt observability (with real-world examples)
common pitfalls in logging, metrics, and tracing
practical fixes that don’t require rewriting your entire stack
tools and patterns to keep your observability intact

how sidecars break observability: the 3 biggest problems

1. logs: the "which container did this come from?" nightmare

sidecars often handle log collection (e.g., fluent bit, filebeat), but they introduce a critical issue: log provenance gets lost. when logs from your main app and sidecar intermingle, debugging becomes a guessing game. for example:

scenario: your app writes an error to stdout, but the sidecar (e.g., a log shipper) modifies timestamps or metadata before sending logs to elasticsearch. now, your log explorer shows:

2024-05-20t12:34:56z [error] failed to connect to db
2024-05-20t12:34:57z [fluent bit] processed 1 log lines

problem: which pod generated the error? was it during a sidecar restart? without proper labeling, you’re flying blind.

root cause: sidecars often strip or override kubernetes metadata (e.g., pod name, container id) when processing logs. tools like fluent bit require explicit configuration to preserve this context.

2. metrics: the "where did my data go?" black hole

sidecars like prometheus sidecars or telegraf agents are meant to scrape and export metrics, but they can:

double-count metrics if both the app and sidecar expose the same endpoint.
drop metrics silently if the sidecar crashes or hits resource limits.
add latency by acting as a middleman between your app and the monitoring backend.

example: your app exposes a /metrics endpoint, and a prometheus sidecar scrapes it. but if the sidecar’s resource limits are too low, it starts dropping samples:

level=error ts=2024-05-20t12:35:00z caller=scrape.go:1200 msg="scrape failed" err="context deadline exceeded"

result: your dashboards show gaps, and you miss critical spikes in cpu or memory usage.

3. traces: the "broken chain of custody" issue

distributed tracing (e.g., jaeger, opentelemetry) relies on context propagation across services. sidecars—especially service meshes like istio or linkerd—can break trace continuity by:

not forwarding trace headers (e.g., traceparent, uber-trace-id).
adding their own spans that clutter traces (e.g., istio’s "inbound" and "outbound" spans).
modifying headers in ways that make traces unjoinable.

debugging tip: run kubectl describe pod and check if your sidecar injects proxies (e.g., istio’s istio-proxy). then, inspect trace headers with:

kubectl exec -it <pod> -- curl -v http://your-service
# look for missing or malformed headers like:
# < traceparent: 00-1234567890abcdef1234567890abcdef-1234567890abcdef-01

how to fix sidecar observability issues (without rewriting everything)

1. logs: enforce structured logging + sidecar-aware labels

solution: ensure your app emits structured logs (json) with explicit fields for:

pod name (kubernetes.pod_name)
container name (kubernetes.container_name)
timestamp in iso format (@timestamp)

then, configure your sidecar (e.g., fluent bit) to preserve these fields and avoid overwriting them. example fluent bit config:

[input]
    name              tail
    path              /var/log/containers/*.log
    parser            json
    tag               kube.*
    db                /var/log/flb_kube.db
    mem_buf_limit     5mb
    skip_long_lines   on
    refresh_interval  10

[filter]
    name          modify
    match         kube.*
    rename        log process
    copy          kubernetes.pod_name pod_name
    copy          kubernetes.container_name container_name

key: the copy directives ensure metadata survives processing.

2. metrics: direct scraping + sidecar as a fallback

solution: avoid relying solely on sidecars for metrics. instead:

expose metrics directly from your app (e.g., /metrics on port 8080).
use podmonitor or servicemonitor in prometheus to scrape the app and the sidecar separately.

set resource limits for sidecars to prevent drops:

resources:
  limits:
    memory: "128mi"
    cpu: "100m"

pro tip: use kubectl top pod to monitor sidecar resource usage:

kubectl top pod --containers
# look for sidecars consuming excessive cpu/memory.

3. traces: explicit header propagation + sidecar tuning

solution: for service meshes (e.g., istio), ensure trace headers are propagated:

add traceparent and tracestate to the mesh’s allowed headers.

for istio, use a virtualservice to explicitly pass headers:

apiversion: networking.istio.io/v1alpha3
kind: virtualservice
metadata:
  name: my-service
spec:
  hosts:
  - my-service
  http:
  - route:
    - destination:
        host: my-service
    corspolicy:
      allowheaders:
      - traceparent
      - tracestate

for non-mesh sidecars, ensure they don’t strip headers. test with:

kubectl exec -it <pod> -- curl -h "traceparent: 00-123..." http://localhost:8080

advanced fixes: observability-aware sidecar patterns

1. the "ambassador" sidecar (proxy + observability)

instead of a generic sidecar, use an "ambassador" container that:

forwards logs/metrics without modification.
adds minimal metadata (e.g., sidecar version) as a separate field.
runs with shareprocessnamespace: true to access the main container’s filesystem.

example pod spec:

apiversion: v1
kind: pod
metadata:
  name: my-app
spec:
  shareprocessnamespace: true
  containers:
  - name: app
    image: my-app:latest
    volumemounts:
    - name: logs
      mountpath: /var/log/app
  - name: log-ambassador
    image: fluent/fluent-bit
    volumemounts:
    - name: logs
      mountpath: /var/log/app
  volumes:
  - name: logs
    emptydir: {}

2. ebpf-based observability (no sidecar needed)

tools like pixie or cilium use ebpf to capture observability data without sidecars, avoiding the problem entirely. example:

install pixie:

kubectl apply -f https://raw.githubusercontent.com/pixie-io/pixie/main/k8s/operator.yaml

query http traces:

px run px/http_traces -n my-namespace

3. opentelemetry collector as a sidecar (standardized approach)

replace ad-hoc sidecars with the opentelemetry collector, which:

supports logs, metrics, and traces in one agent.
preserves context with standardized semantic conventions.
can run as a sidecar or daemonset.

example collector config:

receivers:
  otlp:
    protocols:
      grpc:
      http:
processors:
  batch:
exporters:
  logging:
    loglevel: debug
  otlp:
    endpoint: otel-collector:4317
service:
  pipelines:
    traces:
      receivers: [otlp]
      processors: [batch]
      exporters: [otlp]

key takeaways: observability-first sidecar design

sidecars don’t have to break observability if you:

treat sidecars as "observability citizens": they should preserve, not obscure, context.
test observability pipelines: use tools like kubectl logs, kubectl exec, and curl to verify data flow.
prefer standardized tools: opentelemetry, ebpf, or service meshes with explicit trace support.
monitor the sidecars themselves: they’re part of your stack—track their resource usage and errors.

final thought: sidecars are like plumbing—when they work, you don’t notice them; when they break, everything floods. by designing for observability upfront, you avoid the "midnight debugging" scenario where logs, metrics, or traces vanish into the void.

next steps:

audit your sidecars with kubectl describe pod and kubectl logs.
adopt structured logging and opentelemetry if you haven’t already.
test trace propagation with a tool like otel-trace.