feat: add node filtering to loki.source.podlogs (#4022)

* feat: add node filtering to loki.source.podlogs

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Fix tests

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

* Update docs/sources/reference/components/loki/loki.source.podlogs.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

---------

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

Author: QuentinBisson

CHANGELOG.md

@@ -36,6 +36,8 @@ Main (unreleased)
 
 - Add the `otelcol.receiver.fluentforward` receiver to receive logs via Fluent Forward Protocol. (@rucciva)
 
+- Add `node_filter` configuration block to `loki.source.podlogs` component to enable node-based filtering for pod discovery. When enabled, only pods running on the specified node will be discovered and monitored, significantly reducing API server load and network traffic in DaemonSet deployments. (@QuentinBisson)
+
 - (_Experimental_) Additions to experimental `database_observability.mysql` component:
   - `query_sample` collector now supports auto-enabling the necessary `setup_consumers` settings (@cristiangreco)
 
@@ -352,7 +354,7 @@ v1.8.3
 
 - Fix `mimir.rules.kubernetes` panic on non-leader debug info retrieval (@TheoBrigitte)
 
-- Fix detection of the “streams limit exceeded” error in the Loki client so that metrics are correctly labeled as `ReasonStreamLimited`. (@maratkhv)
+- Fix detection of the "streams limit exceeded" error in the Loki client so that metrics are correctly labeled as `ReasonStreamLimited`. (@maratkhv)
 
 - Fix `loki.source.file` race condition that often lead to panic when using `decompression`. (@kalleep)
 

docs/sources/reference/components/loki/loki.source.podlogs.md

@@ -129,6 +129,7 @@ You can use the following blocks with `loki.source.podlogs`:
 | [`clustering`][clustering]                                    | Configure the component for when {{< param "PRODUCT_NAME" >}} is running in clustered mode. | no       |
 | [`namespace_selector`][selector]                              | Label selector for which namespaces to discover `PodLogs` in.                               | no       |
 | `namespace_selector` > [`match_expression`][match_expression] | Label selector expression for which namespaces to discover `PodLogs` in.                    | no       |
+| [`node_filter`][node_filter]                                  | Filter Pods by node to limit discovery scope.                                               | no       |
 | [`selector`][selector]                                        | Label selector for which `PodLogs` to discover.                                             | no       |
 | `selector` > [`match_expression`][match_expression]           | Label selector expression for which `PodLogs` to discover.                                  | no       |
 
@@ -140,6 +141,7 @@ For example, `client` > `basic_auth` refers to a `basic_auth` block defined insi
 [basic_auth]: #basic_auth
 [clustering]: #clustering
 [match_expression]: #match_expression
+[node_filter]: #node_filter
 [oauth2]: #oauth2
 [selector]: #selector-and-namespace_selector
 [tls_config]: #tls_config
@@ -213,6 +215,37 @@ Clustering looks only at the following labels for determining the shard key:
 
 [using clustering]: ../../../../get-started/clustering/
 
+### `node_filter`
+
+The `node_filter` block configures node-based filtering for Pod discovery.
+
+The following arguments are supported: 
+
+| Name        | Type     | Description                                                                               | Default | Required |
+| ----------- | -------- | ----------------------------------------------------------------------------------------- | ------- | -------- |
+| `enabled`   | `bool`   | Enable node-based filtering for Pod discovery.                                            | `false` | no       |
+| `node_name` | `string` | Node name to filter Pods by. Falls back to the `NODE_NAME` environment variable if empty. | `""`    | no       |
+
+When you set `enabled` to `true`, `loki.source.podlogs` only discovers and collects logs from Pods running on the specified node.
+This is particularly useful when running {{< param "PRODUCT_NAME" >}} as a DaemonSet to avoid collecting logs from Pods on other nodes.
+
+If you don't specify `node_name`, `loki.source.podlogs` attempts to use the `NODE_NAME` environment variable.
+This allows for easy configuration in DaemonSet deployments where you can inject the node name with the [Kubernetes downward API][].
+
+[Kubernetes downward API]: https://kubernetes.io/docs/concepts/workloads/pods/downward-api/
+
+Example DaemonSet configuration:
+
+```yaml
+env:
+  - name: NODE_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: spec.nodeName
+```
+
+Node filtering significantly reduces API server load and network traffic by limiting Pod discovery to only the local node, making it highly recommended for DaemonSet deployments in large clusters.
+
 ### `match_expression`
 
 The `match_expression` block describes a Kubernetes label match expression for `PodLogs` or Namespace discovery.
@@ -292,6 +325,25 @@ loki.write "local" {
 }
 ```
 
+This example shows how to use node filtering for DaemonSet deployments to collect logs only from Pods running on the current node:
+
+```alloy
+loki.source.podlogs "daemonset" {
+  forward_to = [loki.write.local.receiver]
+  
+  node_filter {
+    enabled = true
+    // node_name will be automatically read from NODE_NAME environment variable
+  }
+}
+
+loki.write "local" {
+  endpoint {
+    url = sys.env("LOKI_URL")
+  }
+}
+```
+
 <!-- START GENERATED COMPATIBLE COMPONENTS -->
 
 ## Compatible components

internal/component/loki/source/podlogs/podlogs.go

@@ -49,9 +49,23 @@ type Arguments struct {
 	NamespaceSelector config.LabelSelector `alloy:"namespace_selector,block,optional"`
 	TailFromEnd       bool                 `alloy:"tail_from_end,attr,optional"`
 
+	// Node filtering settings to limit pod discovery to specific nodes.
+	NodeFilter NodeFilterConfig `alloy:"node_filter,block,optional"`
+
 	Clustering cluster.ComponentBlock `alloy:"clustering,block,optional"`
 }
 
+// NodeFilterConfig configures node-based filtering for pod discovery.
+// When enabled, only pods running on the specified node will be discovered,
+// which is useful for DaemonSet deployments to avoid cross-node log collection.
+type NodeFilterConfig struct {
+	// Enabled controls whether node filtering is active.
+	Enabled bool `alloy:"enabled,attr,optional"`
+	// NodeName specifies the node name to filter by. If empty, the component
+	// will attempt to use the NODE_NAME environment variable.
+	NodeName string `alloy:"node_name,attr,optional"`
+}
+
 // DefaultArguments holds default settings for loki.source.kubernetes.
 var DefaultArguments = Arguments{
 	Client: commonk8s.DefaultClientArguments,
@@ -267,8 +281,13 @@ func (c *Component) updateReconciler(args Arguments) error {
 	var (
 		selectorChanged          = !reflect.DeepEqual(c.args.Selector, args.Selector)
 		namespaceSelectorChanged = !reflect.DeepEqual(c.args.NamespaceSelector, args.NamespaceSelector)
+		nodeFilterChanged        = !reflect.DeepEqual(c.args.NodeFilter, args.NodeFilter)
 	)
-	if !selectorChanged && !namespaceSelectorChanged {
+
+	// Update node filter configuration
+	c.reconciler.UpdateNodeFilter(args.NodeFilter.Enabled, args.NodeFilter.NodeName)
+
+	if !selectorChanged && !namespaceSelectorChanged && !nodeFilterChanged {
 		return nil
 	}
 

internal/component/loki/source/podlogs/podlogs_test.go

@@ -35,3 +35,96 @@ func TestBadAlloyConfig(t *testing.T) {
 	err := syntax.Unmarshal([]byte(exampleAlloyConfig), &args)
 	require.ErrorContains(t, err, "at most one of basic_auth, authorization, oauth2, bearer_token & bearer_token_file must be configured")
 }
+
+func TestNodeFilterConfig(t *testing.T) {
+	tests := []struct {
+		name           string
+		config         string
+		expectedError  string
+		expectedResult Arguments
+	}{
+		{
+			name: "node filter disabled by default",
+			config: `
+				forward_to = []
+			`,
+			expectedResult: Arguments{
+				NodeFilter: NodeFilterConfig{
+					Enabled:  false,
+					NodeName: "",
+				},
+			},
+		},
+		{
+			name: "node filter enabled with explicit node name",
+			config: `
+				forward_to = []
+				node_filter {
+					enabled = true
+					node_name = "worker-node-1"
+				}
+			`,
+			expectedResult: Arguments{
+				NodeFilter: NodeFilterConfig{
+					Enabled:  true,
+					NodeName: "worker-node-1",
+				},
+			},
+		},
+		{
+			name: "node filter enabled without node name",
+			config: `
+				forward_to = []
+				node_filter {
+					enabled = true
+				}
+			`,
+			expectedResult: Arguments{
+				NodeFilter: NodeFilterConfig{
+					Enabled:  true,
+					NodeName: "",
+				},
+			},
+		},
+		{
+			name: "node filter with only node name specified",
+			config: `
+				forward_to = []
+				node_filter {
+					node_name = "worker-node-2"
+				}
+			`,
+			expectedResult: Arguments{
+				NodeFilter: NodeFilterConfig{
+					Enabled:  false, // default value
+					NodeName: "worker-node-2",
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var args Arguments
+			err := syntax.Unmarshal([]byte(tt.config), &args)
+
+			if tt.expectedError != "" {
+				require.ErrorContains(t, err, tt.expectedError)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, tt.expectedResult.NodeFilter.Enabled, args.NodeFilter.Enabled)
+			require.Equal(t, tt.expectedResult.NodeFilter.NodeName, args.NodeFilter.NodeName)
+		})
+	}
+}
+
+func TestNodeFilterConfigDefaults(t *testing.T) {
+	var args Arguments
+	args.SetToDefault()
+
+	// Verify node filter is disabled by default
+	require.False(t, args.NodeFilter.Enabled)
+	require.Empty(t, args.NodeFilter.NodeName)
+}

internal/component/loki/source/podlogs/reconciler.go

@@ -3,6 +3,7 @@ package podlogs
 import (
 	"context"
 	"fmt"
+	"os"
 	"slices"
 	"sort"
 	"strings"
@@ -17,6 +18,7 @@ import (
 	"github.com/prometheus/prometheus/util/strutil"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -69,6 +71,8 @@ type reconciler struct {
 	podLogsSelector          labels.Selector
 	podLogsNamespaceSelector labels.Selector
 	shouldDistribute         bool
+	nodeFilterEnabled        bool
+	nodeFilterName           string
 
 	debugMut  sync.RWMutex
 	debugInfo []DiscoveredPodLogs
@@ -96,6 +100,33 @@ func (r *reconciler) UpdateSelectors(podLogs, namespace labels.Selector) {
 	r.podLogsNamespaceSelector = namespace
 }
 
+// UpdateNodeFilter updates the node filter configuration used by the reconciler.
+func (r *reconciler) UpdateNodeFilter(enabled bool, nodeName string) {
+	r.reconcileMut.Lock()
+	defer r.reconcileMut.Unlock()
+
+	r.nodeFilterEnabled = enabled
+	r.nodeFilterName = nodeName
+}
+
+// getNodeFilterName returns the effective node name to filter by.
+// If enabled but no node name is provided, it falls back to the NODE_NAME environment variable.
+func (r *reconciler) getNodeFilterName() string {
+	r.reconcileMut.RLock()
+	defer r.reconcileMut.RUnlock()
+
+	if !r.nodeFilterEnabled {
+		return ""
+	}
+
+	if r.nodeFilterName != "" {
+		return r.nodeFilterName
+	}
+
+	// Fall back to NODE_NAME environment variable
+	return os.Getenv("NODE_NAME")
+}
+
 // SetDistribute configures whether targets are distributed amongst the cluster.
 func (r *reconciler) SetDistribute(distribute bool) {
 	r.reconcileMut.Lock()
@@ -236,6 +267,15 @@ func (r *reconciler) reconcilePodLogs(ctx context.Context, cli client.Client, po
 	opts := []client.ListOption{
 		client.MatchingLabelsSelector{Selector: sel},
 	}
+
+	// Add node filtering if enabled
+	if nodeFilterName := r.getNodeFilterName(); nodeFilterName != "" {
+		level.Debug(r.log).Log("msg", "applying node filter for pod discovery", "node", nodeFilterName, "key", key)
+		opts = append(opts, client.MatchingFieldsSelector{
+			Selector: fields.OneTermEqualSelector("spec.nodeName", nodeFilterName),
+		})
+	}
+
 	var podList corev1.PodList
 	if err := cli.List(ctx, &podList, opts...); err != nil {
 		discoveredPodLogs.ReconcileError = fmt.Sprintf("failed to list Pods: %s", err)