Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Label Whitelist #15577

Open
LukoJy3D opened this issue Jan 2, 2025 · 3 comments
Open

Feature request: Label Whitelist #15577

LukoJy3D opened this issue Jan 2, 2025 · 3 comments
Labels
type/docs Issues related to technical documentation; the Docs Squad uses this label across many repositories

Comments

@LukoJy3D
Copy link
Contributor

LukoJy3D commented Jan 2, 2025

Is your feature request related to a problem? Please describe.
Currently, Loki does not provide a native mechanism to restrict or whitelist labels at ingestion. With larger single-tenant deployments, simple human error or a lack of knowledge about how Loki deals with labels can cause the stream limit to be hit. I am aware of promtail and fluent-bit solutions to control this, but not everything can be covered with such preprocessing pipelines.

Describe the solution you'd like
Add a configuration option in Loki’s limits_config to define a label whitelist, such as:

limits_config:
  allowed_labels:
    - cluster
    - namespace
    - instance
  denied_labels: # Optional, to explicitly reject certain labels
    - kubernetes_pod_name
    - some_unique_id

If any other labels are sent, they are rejected.

Additional context
We had a case where one of the engineers with full access to Loki used a Python script with direct logging to Loki and created multiple high cardinality labels. Such cases are tough to predict, and even with various ACLs, this could still happen.

I see there already were minor thoughts about this: #8239 (comment).

@JStickler JStickler added the type/docs Issues related to technical documentation; the Docs Squad uses this label across many repositories label Jan 6, 2025
@mveitas
Copy link
Contributor

mveitas commented Jan 7, 2025

There is already something like this being used on the OTLP ingestion via the default_resource_attributes_as_index_labels configuration https://grafana.com/docs/loki/latest/send-data/otel/#format-considerations. Other attributes from the OTLP log record are then added to the structured metadata

If any other labels are sent, they are rejected.

When you say rejected, you are referring to labels being dropped and not the log record or would you expect these to be added as structured metadata?

@LukoJy3D
Copy link
Contributor Author

LukoJy3D commented Jan 7, 2025

We use those resource_attributes for ingestion from the Otel collector, and yes, it works great. But how can we limit this when it's being shipped from fluent-bit or, as mentioned, from a local Python script (which we have no control of)?

When you say rejected, are you referring to labels being dropped and not the log record, or would you expect these to be added as structured metadata?

I would say that since Loki heavily relies on labels, it does not accept logs completely until the needed labels are added to the configuration.

@Amoolaa
Copy link

Amoolaa commented Jan 10, 2025

You could use something like Alloy as a 'proxy' to your Loki instance and filter out anything including a set list of labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/docs Issues related to technical documentation; the Docs Squad uses this label across many repositories
Projects
None yet
Development

No branches or pull requests

4 participants