Run collectors as nonroot user

autoscaler/cmd/main.go

@@ -214,12 +214,6 @@ func main() {
 		}
 	}
 
-	// The name processor is used to transform device ids injected with the virtual device,
-	// to service names and k8s attributes.
-	// it is not needed for eBPF instrumentation or OpAMP implementations.
-	// at the time of writing (2024-10-22) only dotnet and java native agent are using the name processor.
-	_, disableNameProcessor := os.LookupEnv("DISABLE_NAME_PROCESSOR")
-
 	collectorImage := defaultCollectorImage
 	if collectorImageEnv, ok := os.LookupEnv("ODIGOS_COLLECTOR_IMAGE"); ok {
 		collectorImage = collectorImageEnv
@@ -241,34 +235,31 @@ func main() {
 	}
 
 	if err = (&controllers.ProcessorReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		ImagePullSecrets:     imagePullSecrets,
-		OdigosVersion:        odigosVersion,
-		K8sVersion:           k8sVersion,
-		DisableNameProcessor: disableNameProcessor,
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		ImagePullSecrets: imagePullSecrets,
+		OdigosVersion:    odigosVersion,
+		K8sVersion:       k8sVersion,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Processor")
 		os.Exit(1)
 	}
 	if err = (&controllers.CollectorsGroupReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		ImagePullSecrets:     imagePullSecrets,
-		OdigosVersion:        odigosVersion,
-		K8sVersion:           k8sVersion,
-		DisableNameProcessor: disableNameProcessor,
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		ImagePullSecrets: imagePullSecrets,
+		OdigosVersion:    odigosVersion,
+		K8sVersion:       k8sVersion,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CollectorsGroup")
 		os.Exit(1)
 	}
 	if err = (&controllers.InstrumentationConfigReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		ImagePullSecrets:     imagePullSecrets,
-		OdigosVersion:        odigosVersion,
-		K8sVersion:           k8sVersion,
-		DisableNameProcessor: disableNameProcessor,
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		ImagePullSecrets: imagePullSecrets,
+		OdigosVersion:    odigosVersion,
+		K8sVersion:       k8sVersion,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "InstrumentationConfig")
 		os.Exit(1)

autoscaler/controllers/collectorsgroup_controller.go

@@ -36,11 +36,10 @@ import (
 
 type CollectorsGroupReconciler struct {
 	client.Client
-	Scheme               *runtime.Scheme
-	ImagePullSecrets     []string
-	OdigosVersion        string
-	K8sVersion           *version.Version
-	DisableNameProcessor bool
+	Scheme           *runtime.Scheme
+	ImagePullSecrets []string
+	OdigosVersion    string
+	K8sVersion       *version.Version
 }
 
 func (r *CollectorsGroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -52,7 +51,7 @@ func (r *CollectorsGroupReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, err
 	}
 
-	err = datacollection.Sync(ctx, r.Client, r.Scheme, r.ImagePullSecrets, r.OdigosVersion, r.K8sVersion, r.DisableNameProcessor)
+	err = datacollection.Sync(ctx, r.Client, r.Scheme, r.ImagePullSecrets, r.OdigosVersion, r.K8sVersion)
 	if err != nil {
 		return ctrl.Result{}, err
 	}

autoscaler/controllers/datacollection/configmap.go

@@ -30,7 +30,7 @@ import (
 
 func SyncConfigMap(sources *odigosv1.InstrumentationConfigList, dests *odigosv1.DestinationList, allProcessors *odigosv1.ProcessorList,
 	datacollection *odigosv1.CollectorsGroup, ctx context.Context,
-	c client.Client, scheme *runtime.Scheme, disableNameProcessor bool) error {
+	c client.Client, scheme *runtime.Scheme) error {
 	logger := log.FromContext(ctx)
 
 	processors := commonconf.FilterAndSortProcessorsByOrderHint(allProcessors, odigosv1.CollectorsGroupRoleNodeCollector)
@@ -39,7 +39,7 @@ func SyncConfigMap(sources *odigosv1.InstrumentationConfigList, dests *odigosv1.
 	SamplingExists := commonconf.FindFirstProcessorByType(allProcessors, "odigossampling")
 	setTracesLoadBalancer := SamplingExists != nil
 
-	desired, err := getDesiredConfigMap(sources, dests, processors, datacollection, scheme, setTracesLoadBalancer, disableNameProcessor)
+	desired, err := getDesiredConfigMap(sources, dests, processors, datacollection, scheme, setTracesLoadBalancer)
 	if err != nil {
 		logger.Error(err, "failed to get desired config map")
 		return err
@@ -97,8 +97,8 @@ func createConfigMap(desired *v1.ConfigMap, ctx context.Context, c client.Client
 }
 
 func getDesiredConfigMap(sources *odigosv1.InstrumentationConfigList, dests *odigosv1.DestinationList, processors []*odigosv1.Processor,
-	datacollection *odigosv1.CollectorsGroup, scheme *runtime.Scheme, setTracesLoadBalancer bool, disableNameProcessor bool) (*v1.ConfigMap, error) {
-	cmData, err := calculateConfigMapData(datacollection, sources, dests, processors, setTracesLoadBalancer, disableNameProcessor)
+	datacollection *odigosv1.CollectorsGroup, scheme *runtime.Scheme, setTracesLoadBalancer bool) (*v1.ConfigMap, error) {
+	cmData, err := calculateConfigMapData(datacollection, sources, dests, processors, setTracesLoadBalancer)
 	if err != nil {
 		return nil, err
 	}
@@ -125,7 +125,7 @@ func getDesiredConfigMap(sources *odigosv1.InstrumentationConfigList, dests *odi
 }
 
 func calculateConfigMapData(nodeCG *odigosv1.CollectorsGroup, sources *odigosv1.InstrumentationConfigList, dests *odigosv1.DestinationList, processors []*odigosv1.Processor,
-	setTracesLoadBalancer bool, disableNameProcessor bool) (string, error) {
+	setTracesLoadBalancer bool) (string, error) {
 
 	ownMetricsPort := nodeCG.Spec.CollectorOwnMetricsPort
 
@@ -136,10 +136,6 @@ func calculateConfigMapData(nodeCG *odigosv1.CollectorsGroup, sources *odigosv1.
 		log.Log.V(0).Error(err, "processor", name)
 	}
 
-	if !disableNameProcessor {
-		processorsCfg["odigosresourcename"] = empty
-	}
-
 	memoryLimiterConfiguration := common.GetMemoryLimiterConfig(nodeCG.Spec.ResourcesSettings)
 
 	processorsCfg["batch"] = empty
@@ -284,7 +280,7 @@ func calculateConfigMapData(nodeCG *odigosv1.CollectorsGroup, sources *odigosv1.
 		}
 	}
 
-	commonProcessors := getCommonProcessors(disableNameProcessor)
+	commonProcessors := getCommonProcessors()
 
 	if collectLogs {
 		includes := make([]string, 0)
@@ -446,17 +442,12 @@ func getSignalsFromOtelcolConfig(otelcolConfigContent string) ([]odigoscommon.Ob
 	return signals, nil
 }
 
-func getCommonProcessors(disableNameProcessor bool) []string {
+func getCommonProcessors() []string {
 	// memory limiter is placed right after batch processor an not the first processor in pipeline
 	// this is so that instrumented application always succeeds in sending data to the collector
 	// (on it being added to a batch) and checking the memory limit later after the batch
 	// where memory rejection would drop the data instead of backpressuring the application.
 	// Read more about it here: https://github.com/open-telemetry/opentelemetry-collector/issues/11726
 	// Also related: https://github.com/open-telemetry/opentelemetry-collector/issues/9591
-	processors := []string{"batch", "memory_limiter"}
-	if !disableNameProcessor {
-		processors = append(processors, "odigosresourcename")
-	}
-	processors = append(processors, "resource", "resourcedetection", "odigostrafficmetrics")
-	return processors
+	return []string{"batch", "memory_limiter", "resource", "resourcedetection", "odigostrafficmetrics"}
 }

autoscaler/controllers/datacollection/daemonset.go

@@ -9,9 +9,9 @@ import (
 	"github.com/odigos-io/odigos/api/k8sconsts"
 	odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1"
 	"github.com/odigos-io/odigos/autoscaler/controllers/common"
+	commonconfig "github.com/odigos-io/odigos/autoscaler/controllers/common"
 	"github.com/odigos-io/odigos/autoscaler/controllers/datacollection/custom"
 	"k8s.io/apimachinery/pkg/util/version"
-	commonconfig "github.com/odigos-io/odigos/autoscaler/controllers/common"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -171,7 +171,8 @@ func getOdigletDaemonsetPodSpec(ctx context.Context, c client.Client, namespace
 func getDesiredDaemonSet(datacollection *odigosv1.CollectorsGroup,
 	scheme *runtime.Scheme, imagePullSecrets []string, odigosVersion string, k8sVersion *version.Version,
 	odigletDaemonsetPodSpec *corev1.PodSpec) (*appsv1.DaemonSet, error) {
-	// TODO(edenfed): add log volumes only if needed according to apps or dests
+	privileged := true
+	var runAsUser int64 = 0
 
 	// 50% of the nodes can be unavailable during the update.
 	// if we do not set it, the default value is 1.
@@ -244,26 +245,66 @@ func getDesiredDaemonSet(datacollection *odigosv1.CollectorsGroup,
 							},
 						},
 						{
-							Name: "varlibdockercontainers",
+							Name: "host-dev",
+							VolumeSource: corev1.VolumeSource{
+								HostPath: &corev1.HostPathVolumeSource{
+									Path: "/dev",
+								},
+							},
+						},
+						{
+							Name: "host-etc",
+							VolumeSource: corev1.VolumeSource{
+								HostPath: &corev1.HostPathVolumeSource{
+									Path: "/etc",
+								},
+							},
+						},
+						{
+							Name: "host-proc",
 							VolumeSource: corev1.VolumeSource{
 								HostPath: &corev1.HostPathVolumeSource{
-									Path: "/var/lib/docker/containers",
+									Path: "/proc",
 								},
 							},
 						},
 						{
-							Name: "kubeletpodresources",
+							Name: "host-sys",
 							VolumeSource: corev1.VolumeSource{
 								HostPath: &corev1.HostPathVolumeSource{
-									Path: "/var/lib/kubelet/pod-resources", // TODO: remove this when removing name resoultion processor from collector
+									Path: "/sys",
 								},
 							},
 						},
 						{
-							Name: "hostfs",
+							Name: "host-var",
 							VolumeSource: corev1.VolumeSource{
 								HostPath: &corev1.HostPathVolumeSource{
-									Path: "/",
+									Path: "/var",
+								},
+							},
+						},
+					},
+					InitContainers: []corev1.Container{
+						{
+							Name:  "set-logs-acls",
+							Image: commonconfig.ControllerConfig.CollectorImage,
+							Command: []string{
+								"/bin/sh",
+								"-c",
+								`find /hostfs/var/log/pods -type d -exec setfacl -m u:65532:rx,g:65532:rx {} \; || true && \
+            					 find /hostfs/var/log/pods -type d -exec setfacl -d -m u:65532:rx,g:65532:rx {} \; || true && \
+            					 find /hostfs/var/log/pods -type f -exec setfacl -m u:65532:r,g:65532:r {} \; || true;`,
+							},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: &privileged,
+								RunAsUser:  &runAsUser,
+							},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "varlog",
+									MountPath: "/hostfs/var/log",
+									ReadOnly:  false,
 								},
 							},
 						},
@@ -278,24 +319,34 @@ func getDesiredDaemonSet(datacollection *odigosv1.CollectorsGroup,
 									Name:      k8sconsts.OdigosNodeCollectorConfigMapKey,
 									MountPath: confDir,
 								},
-								{
-									Name:      "varlibdockercontainers",
-									MountPath: "/var/lib/docker/containers",
-									ReadOnly:  true,
-								},
-								{
+								{ // Pod logs
 									Name:      "varlog",
 									MountPath: "/var/log",
 									ReadOnly:  true,
 								},
-								{
-									Name:      "kubeletpodresources",
-									MountPath: "/var/lib/kubelet/pod-resources",
+								{ // Host metrics
+									Name:      "host-dev",
+									MountPath: "/hostfs/dev",
 									ReadOnly:  true,
 								},
-								{
-									Name:      "hostfs",
-									MountPath: "/hostfs",
+								{ // Host metrics
+									Name:      "host-etc",
+									MountPath: "/hostfs/etc",
+									ReadOnly:  true,
+								},
+								{ // Host metrics
+									Name:      "host-proc",
+									MountPath: "/hostfs/proc",
+									ReadOnly:  true,
+								},
+								{ // Host metrics
+									Name:      "host-sys",
+									MountPath: "/hostfs/sys",
+									ReadOnly:  true,
+								},
+								{ // Host metrics
+									Name:      "host-var",
+									MountPath: "/hostfs/var",
 									ReadOnly:  true,
 								},
 							},
@@ -360,9 +411,6 @@ func getDesiredDaemonSet(datacollection *odigosv1.CollectorsGroup,
 									corev1.ResourceCPU:    resourceCpuLimitQuantity,
 								},
 							},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: boolPtr(true),
-							},
 						},
 					},
 					HostNetwork:       true,

autoscaler/controllers/datacollection/root.go

@@ -19,7 +19,7 @@ const (
 	syncDaemonsetRetry = 3
 )
 
-func Sync(ctx context.Context, c client.Client, scheme *runtime.Scheme, imagePullSecrets []string, odigosVersion string, k8sVersion *version.Version, disableNameProcessor bool) error {
+func Sync(ctx context.Context, c client.Client, scheme *runtime.Scheme, imagePullSecrets []string, odigosVersion string, k8sVersion *version.Version) error {
 	logger := log.FromContext(ctx)
 
 	var sources odigosv1.InstrumentationConfigList
@@ -51,16 +51,16 @@ func Sync(ctx context.Context, c client.Client, scheme *runtime.Scheme, imagePul
 		return err
 	}
 
-	return syncDataCollection(&sources, &dests, &processors, &dataCollectionCollectorGroup, ctx, c, scheme, imagePullSecrets, odigosVersion, k8sVersion, disableNameProcessor)
+	return syncDataCollection(&sources, &dests, &processors, &dataCollectionCollectorGroup, ctx, c, scheme, imagePullSecrets, odigosVersion, k8sVersion)
 }
 
 func syncDataCollection(sources *odigosv1.InstrumentationConfigList, dests *odigosv1.DestinationList, processors *odigosv1.ProcessorList,
 	dataCollection *odigosv1.CollectorsGroup, ctx context.Context, c client.Client,
-	scheme *runtime.Scheme, imagePullSecrets []string, odigosVersion string, k8sVersion *version.Version, disableNameProcessor bool) error {
+	scheme *runtime.Scheme, imagePullSecrets []string, odigosVersion string, k8sVersion *version.Version) error {
 	logger := log.FromContext(ctx)
 	logger.V(0).Info("Syncing data collection")
 
-	err := SyncConfigMap(sources, dests, processors, dataCollection, ctx, c, scheme, disableNameProcessor)
+	err := SyncConfigMap(sources, dests, processors, dataCollection, ctx, c, scheme)
 	if err != nil {
 		logger.Error(err, "Failed to sync config map")
 		return err

autoscaler/controllers/datacollection/testdata/logs_included.yaml

@@ -7,7 +7,6 @@ extensions:
   health_check: {}
 processors:
   batch: {}
-  odigosresourcename: {}
   resource:
     attributes:
     - action: upsert
@@ -101,7 +100,6 @@ service:
       - otlp/gateway
       processors:
       - batch
-      - odigosresourcename
       - resource
       - resourcedetection
       - test_type/test_processor

autoscaler/controllers/instrumentedapplication_controller.go

@@ -30,15 +30,14 @@ import (
 
 type InstrumentationConfigReconciler struct {
 	client.Client
-	Scheme               *runtime.Scheme
-	ImagePullSecrets     []string
-	OdigosVersion        string
-	K8sVersion           *version.Version
-	DisableNameProcessor bool
+	Scheme           *runtime.Scheme
+	ImagePullSecrets []string
+	OdigosVersion    string
+	K8sVersion       *version.Version
 }
 
 func (r *InstrumentationConfigReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	err := datacollection.Sync(ctx, r.Client, r.Scheme, r.ImagePullSecrets, r.OdigosVersion, r.K8sVersion, r.DisableNameProcessor)
+	err := datacollection.Sync(ctx, r.Client, r.Scheme, r.ImagePullSecrets, r.OdigosVersion, r.K8sVersion)
 	if err != nil {
 		return ctrl.Result{}, err
 	}