Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[collector] kubernetesAttributes preset ClusterRole does not include "nodes" #1377

Closed
lindeskar opened this issue Oct 10, 2024 · 4 comments · Fixed by #1492
Closed

[collector] kubernetesAttributes preset ClusterRole does not include "nodes" #1377

lindeskar opened this issue Oct 10, 2024 · 4 comments · Fixed by #1492
Assignees
@lindeskar
Labels
chart:collector Issue related to opentelemetry-collector helm chart documentation Improvements or additions to documentation

Comments

@lindeskar
Copy link
Contributor

The kubernetesAttributes preset does not include "nodes" in it's ClusterRole, leading to errors when trying to access Node metadata:

User "system:serviceaccount:opentelemetry-collector:otelcol-opentelemetry-collector" cannot list resource "nodes" in API group "" at the cluster scope

Example chart values causing the error:

mode: "daemonset"
image:
  repository: otel/opentelemetry-collector-contrib
config:
  processors:
    k8sattributes:
      extract:
        labels:
          - { tag_name: zone, key: "topology.kubernetes.io/zone", from: node }
presets:
  logsCollection:
    enabled: true
  kubernetesAttributes:
    enabled: true

This addition to values fixes the problem:

clusterRole:
  rules:
    - apiGroups: [""]
      resources: ["nodes"]
      verbs: ["get", "list", "watch"]

Is this by design? I think we could update the preset documentation, or simply add "nodes" to the template:

opentelemetry-helm-charts/charts/opentelemetry-collector/templates/clusterrole.yaml

Lines 18 to 28 in 694c38d

{{- if .Values.presets.kubernetesAttributes.enabled}}
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
{{- end }}

--

From the k8sattributesprocessor README:

When using k8s.node.uid or extracting metadata from node, the processor needs get, watch and list permissions for nodes resources.
@lindeskar lindeskar changed the title [collector] kubernetesAttributes ClusterRole does not include "nodes" [collector] kubernetesAttributes preset ClusterRole does not include "nodes" Oct 10, 2024
@TylerHelmuth
Copy link
Member

@lindeskar you are correct, the preset only sets the RBAC to meet the permission requirements of the k8sattributes processor as the preset defines it. Since you added additional scope (extracting node labels) you must also supply the additional RBAC for that feature.

We do this to ensure the preset configures the minimum permissions necessary. We do not want to give more permissions that the components need as that is a security risk.

@lindeskar
Copy link
Contributor Author

Thanks. I agree that's a reasonable default.

Then I wish for a comment about this in:

opentelemetry-helm-charts/charts/opentelemetry-collector/values.yaml

Lines 45 to 47 in 694c38d

# Configures the Kubernetes Processor to add Kubernetes metadata.
# Adds the k8sattributes processor to all the pipelines
# and adds the necessary rules to ClusteRole.

and:

opentelemetry-helm-charts/charts/opentelemetry-collector/README.md

Lines 144 to 146 in 694c38d

### Configuration for Kubernetes Attributes Processor
The collector can be configured to add Kubernetes metadata, such as pod name and namespace name, as resource attributes to incoming logs, metrics and traces.

Can I create PR for it?

@TylerHelmuth
Copy link
Member

Yes please

@TylerHelmuth TylerHelmuth added documentation Improvements or additions to documentation chart:collector Issue related to opentelemetry-collector helm chart labels Oct 11, 2024
crutonjohn added a commit to crutonjohn/opentelemetry-helm-charts that referenced this issue Nov 16, 2024
@crutonjohn
docs(collector): information regarding the behavior of the k8sattribu…
ed8b6ea 
…tes preset behavior

the preset applies both the k8sattributes processor as well as minimum viable RBAC rules for the
collector, which should be made clear to the user.

addresses open-telemetry#1377
@crutonjohn crutonjohn mentioned this issue Nov 16, 2024
Closed
@lindeskar lindeskar mentioned this issue Jan 15, 2025
Merged
@lindeskar
Copy link
Contributor Author

#1492 contains the changes suggested in #1417 (closed from being stale)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lindeskar lindeskar

Labels
chart:collector Issue related to opentelemetry-collector helm chart documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
2 participants
@TylerHelmuth @lindeskar