Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[collector] kubernetesAttributes preset ClusterRole does not include "nodes" #1377

Open
lindeskar opened this issue Oct 10, 2024 · 3 comments
Assignees
Labels
chart:collector Issue related to opentelemetry-collector helm chart documentation Improvements or additions to documentation

Comments

@lindeskar
Copy link
Contributor

The kubernetesAttributes preset does not include "nodes" in it's ClusterRole, leading to errors when trying to access Node metadata:

User "system:serviceaccount:opentelemetry-collector:otelcol-opentelemetry-collector" cannot list resource "nodes" in API group "" at the cluster scope

Example chart values causing the error:

mode: "daemonset"
image:
  repository: otel/opentelemetry-collector-contrib
config:
  processors:
    k8sattributes:
      extract:
        labels:
          - { tag_name: zone, key: "topology.kubernetes.io/zone", from: node }
presets:
  logsCollection:
    enabled: true
  kubernetesAttributes:
    enabled: true

This addition to values fixes the problem:

clusterRole:
  rules:
    - apiGroups: [""]
      resources: ["nodes"]
      verbs: ["get", "list", "watch"]

Is this by design? I think we could update the preset documentation, or simply add "nodes" to the template:

{{- if .Values.presets.kubernetesAttributes.enabled}}
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
{{- end }}

--

From the k8sattributesprocessor README:

When using k8s.node.uid or extracting metadata from node, the processor needs get, watch and list permissions for nodes resources.

@lindeskar lindeskar changed the title [collector] kubernetesAttributes ClusterRole does not include "nodes" [collector] kubernetesAttributes preset ClusterRole does not include "nodes" Oct 10, 2024
@TylerHelmuth
Copy link
Member

@lindeskar you are correct, the preset only sets the RBAC to meet the permission requirements of the k8sattributes processor as the preset defines it. Since you added additional scope (extracting node labels) you must also supply the additional RBAC for that feature.

We do this to ensure the preset configures the minimum permissions necessary. We do not want to give more permissions that the components need as that is a security risk.

@lindeskar
Copy link
Contributor Author

Thanks. I agree that's a reasonable default.

Then I wish for a comment about this in:

# Configures the Kubernetes Processor to add Kubernetes metadata.
# Adds the k8sattributes processor to all the pipelines
# and adds the necessary rules to ClusteRole.

and:

### Configuration for Kubernetes Attributes Processor
The collector can be configured to add Kubernetes metadata, such as pod name and namespace name, as resource attributes to incoming logs, metrics and traces.

Can I create PR for it?

@TylerHelmuth
Copy link
Member

Yes please

@TylerHelmuth TylerHelmuth added documentation Improvements or additions to documentation chart:collector Issue related to opentelemetry-collector helm chart labels Oct 11, 2024
crutonjohn added a commit to crutonjohn/opentelemetry-helm-charts that referenced this issue Nov 16, 2024
…tes preset behavior

the preset applies both the k8sattributes processor as well as minimum viable RBAC rules for the
collector, which should be made clear to the user.

addresses open-telemetry#1377
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chart:collector Issue related to opentelemetry-collector helm chart documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants