-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Add /metrics non-resource URL to rbac #2913
base: main
Are you sure you want to change the base?
fix: Add /metrics non-resource URL to rbac #2913
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the k8sprocessor actually scrape these endpoints?
These RBAC are not documented for the processor. https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/k8sattributesprocessor |
@thefirstofthe300 @pavolloffay @swiatekm-sumo With the operator built off this PR, I see the following errors in operator logs. The required cluster role is also not created. I do not see this issue from the main branch.
|
@@ -62,6 +62,10 @@ func (o *K8sAttributesParser) GetRBACRules() []rbacv1.PolicyRule { | |||
Resources: []string{"replicasets"}, | |||
Verbs: []string{"get", "watch", "list"}, | |||
}, | |||
{ | |||
NonResourceURLs: []string{"/metrics"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By adding this non-resource URL to the RBAC, it becomes possible for an OTEL collector to scrape authenticated endpoints such as control plane components.
@thefirstofthe300 this file creates RBAC for the k8sattribute processor. This does not seem to be related to metrics
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or maybe I am missing something here
I think, rather, this should be added for prometheus receiver, if we had a parser for it. |
My initial thought was to have these permissions be triggered by the k8s attribute processor since 1) it was easy and 2) it's a sure signal that the collector is running in a k8s cluster. After more work trying to scrape authenticated metrics endpoints, I'm inclined to agree with this sentiment. The Prometheus Operator makes use of secrets to fetch tokens, meaning the target allocator will need permission to fetch those secrets as well. Obviously, everyone is going to have different requirements for what secrets they are willing to grant the OTEL operator access to, meaning it's probably best if there is some sort of config to allow people to granularly configure an RBAC role. |
Description: Add the /metrics non-resource URL to the OTEL collector RBAC
By adding this non-resource URL to the RBAC, it becomes possible for an OTEL collector to scrape authenticated endpoints such as control plane components.