feat(k8s): replace API server watch with kubelet /pods polling

  Reduces API server load on large clusters by polling local kubelet
  /pods endpoint instead of maintaining persistent watch connections.

  - Add kubeletPodInformer that polls kubelet at NODE_IP:10250/pods
  - Use downward API (status.hostIP) to get node IP
  - Add nodes/proxy RBAC for kubelet webhook authorization
  - Keep apiserver mode as fallback via kube.podInformer.mode config

Signed-off-by: Vimal Kumar <vimal78@gmail.com>

Author: vimalk78

cmd/kepler/main.go

@@ -137,11 +137,7 @@ func createServices(logger *slog.Logger, cfg *config.Config) ([]service.Service,
 
 	var podInformer pod.Informer
 	if *cfg.Kube.Enabled {
-		podInformer = pod.NewInformer(
-			pod.WithLogger(logger),
-			pod.WithKubeConfig(cfg.Kube.Config),
-			pod.WithNodeName(cfg.Kube.Node),
-		)
+		podInformer = createPodInformer(cfg, logger)
 		services = append(services, podInformer)
 	}
 	resourceInformer, err := resource.NewInformer(
@@ -231,6 +227,30 @@ func createServices(logger *slog.Logger, cfg *config.Config) ([]service.Service,
 	return services, nil
 }
 
+func createPodInformer(cfg *config.Config, logger *slog.Logger) pod.Informer {
+	if cfg.Kube.PodInformer.Mode == "apiserver" {
+		logger.Info("using API server pod informer")
+		return pod.NewInformer(
+			pod.WithLogger(logger),
+			pod.WithKubeConfig(cfg.Kube.Config),
+			pod.WithNodeName(cfg.Kube.Node),
+		)
+	}
+
+	// Default: kubelet-based informer
+	logger.Info("using kubelet pod informer",
+		"host", cfg.Kube.PodInformer.KubeletHost,
+		"port", cfg.Kube.PodInformer.KubeletPort,
+		"pollInterval", cfg.Kube.PodInformer.PollInterval)
+	return pod.NewKubeletInformer(
+		pod.WithLogger(logger),
+		pod.WithNodeName(cfg.Kube.Node),
+		pod.WithKubeletHost(cfg.Kube.PodInformer.KubeletHost),
+		pod.WithKubeletPort(cfg.Kube.PodInformer.KubeletPort),
+		pod.WithPollInterval(cfg.Kube.PodInformer.PollInterval),
+	)
+}
+
 func createRedfishService(logger *slog.Logger, cfg *config.Config) (*redfish.Service, error) {
 	return redfish.NewService(cfg.Experimental.Platform.Redfish, logger, redfish.WithStaleness(cfg.Monitor.Staleness))
 }

config/config.go

@@ -117,10 +117,18 @@ type (
 		Pprof PprofDebug `yaml:"pprof"`
 	}
 
+	PodInformer struct {
+		Mode         string        `yaml:"mode"`         // "kubelet" (default) or "apiserver"
+		PollInterval time.Duration `yaml:"pollInterval"` // Poll interval for kubelet mode
+		KubeletHost  string        `yaml:"kubeletHost"`  // Kubelet host (default: localhost)
+		KubeletPort  int           `yaml:"kubeletPort"`  // Kubelet port (default: 10250)
+	}
+
 	Kube struct {
-		Enabled *bool  `yaml:"enabled"`
-		Config  string `yaml:"config"`
-		Node    string `yaml:"nodeName"`
+		Enabled     *bool       `yaml:"enabled"`
+		Config      string      `yaml:"config"`
+		Node        string      `yaml:"nodeName"`
+		PodInformer PodInformer `yaml:"podInformer"`
 	}
 
 	// Platform contains settings for platform power monitoring
@@ -302,6 +310,12 @@ func DefaultConfig() *Config {
 		},
 		Kube: Kube{
 			Enabled: ptr.To(false),
+			PodInformer: PodInformer{
+				Mode:         "kubelet",
+				PollInterval: 15 * time.Second,
+				KubeletHost:  "", // resolved at runtime via NODE_IP env var
+				KubeletPort:  10250,
+			},
 		},
 
 		// NOTE: Experimental config will be nil by default and only allocated when needed

internal/k8s/pod/kubelet.go

@@ -0,0 +1,221 @@
+// SPDX-FileCopyrightText: 2025 The Kepler Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package pod
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"sync"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	defaultKubeletPort      = 10250
+	defaultPollInterval     = 15 * time.Second
+	defaultRequestTimeout   = 10 * time.Second
+	serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
+// getDefaultKubeletHost returns the kubelet host from NODE_IP env var,
+// falling back to "localhost" if not set. The NODE_IP should be set via
+// downward API (status.hostIP) in the pod spec.
+func getDefaultKubeletHost() string {
+	if nodeIP := os.Getenv("NODE_IP"); nodeIP != "" {
+		return nodeIP
+	}
+	return "localhost"
+}
+
+type kubeletPodInformer struct {
+	logger       *slog.Logger
+	nodeName     string
+	kubeletHost  string
+	kubeletPort  int
+	pollInterval time.Duration
+
+	httpClient *http.Client
+	token      string
+
+	mu    sync.RWMutex
+	cache map[string]*ContainerInfo // containerID -> ContainerInfo
+}
+
+// NewKubeletInformer creates a new kubelet-based pod informer that polls
+// the local kubelet /pods endpoint instead of watching the API server.
+func NewKubeletInformer(opts ...OptFn) *kubeletPodInformer {
+	opt := DefaultOpts()
+	for _, fn := range opts {
+		fn(&opt)
+	}
+
+	host := opt.kubeletHost
+	if host == "" {
+		host = getDefaultKubeletHost()
+	}
+	port := opt.kubeletPort
+	if port == 0 {
+		port = defaultKubeletPort
+	}
+	interval := opt.pollInterval
+	if interval == 0 {
+		interval = defaultPollInterval
+	}
+
+	return &kubeletPodInformer{
+		logger:       opt.logger.With("service", "kubeletPodInformer"),
+		nodeName:     opt.nodeName,
+		kubeletHost:  host,
+		kubeletPort:  port,
+		pollInterval: interval,
+		cache:        make(map[string]*ContainerInfo),
+	}
+}
+
+func (i *kubeletPodInformer) Name() string {
+	return "kubeletPodInformer"
+}
+
+func (i *kubeletPodInformer) Init() error {
+	if i.nodeName == "" {
+		return fmt.Errorf("nodeName not set")
+	}
+
+	// Read ServiceAccount token
+	tokenBytes, err := os.ReadFile(serviceAccountTokenPath)
+	if err != nil {
+		return fmt.Errorf("failed to read SA token: %w", err)
+	}
+	i.token = string(tokenBytes)
+
+	// Setup HTTP client with TLS (kubelet uses self-signed cert)
+	i.httpClient = &http.Client{
+		Timeout: defaultRequestTimeout,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, // kubelet uses self-signed cert
+			},
+		},
+	}
+
+	// Do initial fetch
+	if err := i.refresh(); err != nil {
+		return fmt.Errorf("initial kubelet fetch failed: %w", err)
+	}
+
+	i.logger.Info("kubelet pod informer initialized",
+		"nodeName", i.nodeName,
+		"kubeletHost", i.kubeletHost,
+		"kubeletPort", i.kubeletPort,
+		"pollInterval", i.pollInterval)
+
+	return nil
+}
+
+func (i *kubeletPodInformer) Run(ctx context.Context) error {
+	i.logger.Info("starting kubelet pod informer")
+	ticker := time.NewTicker(i.pollInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			i.logger.Info("kubelet pod informer stopped")
+			return nil
+		case <-ticker.C:
+			if err := i.refresh(); err != nil {
+				i.logger.Warn("failed to refresh pods from kubelet", "error", err)
+			}
+		}
+	}
+}
+
+func (i *kubeletPodInformer) refresh() error {
+	url := fmt.Sprintf("https://%s:%d/pods", i.kubeletHost, i.kubeletPort)
+
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", "Bearer "+i.token)
+
+	resp, err := i.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("kubelet returned status %d", resp.StatusCode)
+	}
+
+	var podList corev1.PodList
+	if err := json.NewDecoder(resp.Body).Decode(&podList); err != nil {
+		return fmt.Errorf("failed to decode pod list: %w", err)
+	}
+
+	// Build container ID -> pod info cache
+	newCache := make(map[string]*ContainerInfo)
+	for _, pod := range podList.Items {
+		i.addContainersToCache(newCache, &pod, pod.Status.ContainerStatuses)
+		i.addContainersToCache(newCache, &pod, pod.Status.InitContainerStatuses)
+		i.addContainersToCache(newCache, &pod, pod.Status.EphemeralContainerStatuses)
+	}
+
+	i.mu.Lock()
+	i.cache = newCache
+	i.mu.Unlock()
+
+	i.logger.Debug("refreshed pod cache from kubelet",
+		"podCount", len(podList.Items),
+		"containerCount", len(newCache))
+	return nil
+}
+
+func (i *kubeletPodInformer) addContainersToCache(cache map[string]*ContainerInfo, pod *corev1.Pod, statuses []corev1.ContainerStatus) {
+	for _, status := range statuses {
+		if status.ContainerID == "" {
+			continue
+		}
+		containerID := extractContainerID(status.ContainerID)
+		cache[containerID] = &ContainerInfo{
+			PodID:         string(pod.UID),
+			PodName:       pod.Name,
+			Namespace:     pod.Namespace,
+			ContainerName: status.Name,
+		}
+	}
+}
+
+// LookupByContainerID retrieves pod details and container name given a containerID.
+// If the containerID is not found in cache, it triggers an immediate refresh.
+func (i *kubeletPodInformer) LookupByContainerID(containerID string) (*ContainerInfo, bool, error) {
+	i.mu.RLock()
+	info, found := i.cache[containerID]
+	i.mu.RUnlock()
+
+	if found {
+		return info, true, nil
+	}
+
+	// Trigger immediate refresh for unknown container
+	if err := i.refresh(); err != nil {
+		i.logger.Warn("on-demand refresh failed", "error", err)
+	}
+
+	i.mu.RLock()
+	info, found = i.cache[containerID]
+	i.mu.RUnlock()
+
+	if !found {
+		return nil, false, nil
+	}
+	return info, true, nil
+}