Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[chore] add documentation for setting up RBAC for the k8sobserver extension #35597

Merged
merged 2 commits into from
Oct 11, 2024
Merged

[chore] add documentation for setting up RBAC for the k8sobserver extension #35597

merged 2 commits into from
Oct 11, 2024

Conversation

bacherfl
Copy link
Contributor

@bacherfl bacherfl commented Oct 4, 2024

Description

This PR extends the readme of the k8sobserver by describing how to set up the required RBAC permissions to observe the related k8s resources

Link to tracking issue

Fixes #35595

Documentation

Extended the readme

@bacherfl
[k8sobserver] add documentation for setting up RBAC
c801848 
Signed-off-by: Florian Bacher <florian.bacher@dynatrace.com>
@bacherfl bacherfl changed the title [k8sobserver] add documentation for setting up RBAC [chore] add documentation for setting up RBAC for the k8sobserver extension Oct 4, 2024
@bacherfl bacherfl marked this pull request as ready for review October 4, 2024 07:04
@bacherfl bacherfl requested a review from a team as a code owner October 4, 2024 07:04
ChrsMark
ChrsMark reviewed Oct 4, 2024
View reviewed changes
extension/observer/k8sobserver/README.md
auth_type: serviceAccount
collection_interval: 10s
endpoint: "`endpoint`:`kubelet_endpoint_port`"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using kubelet_endpoint_port to monitor the discovered Redis Pod looks weird? Should be just port instead?

Suggested change
endpoint: "`endpoint`:`kubelet_endpoint_port`"
endpoint: "`endpoint`:`port`"

ref: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/receivercreator/README.md#port

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just looked into that again - i think this still needs to be kubelet_endpoint_port, as this is not related to the redis receiver example, but for a kubeletstats receiver, which is created based on a detected k8s.node (this example is essentially a copy paste from the config example further above in the readme).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I just realized that there are 2 different config blocks, I saw it as only one 🤦🏽‍♂️

ChrsMark
ChrsMark approved these changes Oct 4, 2024
View reviewed changes
Copy link
Member

@ChrsMark ChrsMark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank's for adding these!

extension/observer/k8sobserver/README.md
auth_type: serviceAccount
collection_interval: 10s
endpoint: "`endpoint`:`kubelet_endpoint_port`"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I just realized that there are 2 different config blocks, I saw it as only one 🤦🏽‍♂️

@ChrsMark
Copy link
Member

ChrsMark commented Oct 8, 2024

@open-telemetry/collector-contrib-approvers this should be good to go?

@bacherfl bacherfl mentioned this pull request Oct 9, 2024
Closed
andrzej-stencel
andrzej-stencel approved these changes Oct 11, 2024
View reviewed changes
extension/observer/k8sobserver/README.md
```

2. Create a `ClusterRole`/`ClusterRoleBinding` that grants permission to read pods, nodes, services and ingresses.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose using just a Role instead of ClusterRole is also an option if the user only want to observe e.g. pods in a specific namespace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the late reply - right now, the k8sobserver works only with ClusterRoles, but I'm working on an issue (#9401) to also support the use of namespaced resources and thus also be usable with Roles instead of ClusterRoles

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edit: I just realized that the issue i linked in the comment above is for the k8sclusterreceiver, and not the k8sobserver - However, looking at the code of the k8sobserver, it seems like the informer being created here also is currently always attempting to observe all namespaces. so it might make sense to also do something similar as in #9401 for this component.

@andrzej-stencel andrzej-stencel merged commit 47118f2 into open-telemetry:main Oct 11, 2024
138 checks passed
@github-actions github-actions bot added this to the next release milestone Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrsMark ChrsMark ChrsMark approved these changes

@andrzej-stencel andrzej-stencel andrzej-stencel approved these changes

@dmitryax dmitryax Awaiting requested review from dmitryax dmitryax is a code owner

@rmfitzpatrick rmfitzpatrick Awaiting requested review from rmfitzpatrick

Assignees

@dmitryax dmitryax

Labels
extension/observer
Projects
None yet
Milestone
next release
Development

Successfully merging this pull request may close these issues.

[k8sobserver] Add documentation for required RBAC permissions
4 participants
@bacherfl @ChrsMark @andrzej-stencel @dmitryax