Skip to content

Commit 29bafee

Browse files
docs: note about firewall rules for GKE private clusters (#1010)
Co-authored-by: Jacob Aronoff <[email protected]>
1 parent 6ea5f7f commit 29bafee

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

README.md

+5
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,8 @@ The `config` node holds the `YAML` that should be passed down as-is to the under
6868

6969
> 🚨 **NOTE:** At this point, the Operator does *not* validate the contents of the configuration file: if the configuration is invalid, the instance will still be created but the underlying OpenTelemetry Collector might crash.
7070
71+
> 🚨 **Note:** For private GKE clusters, you will need to either add a firewall rule that allows master nodes access to port `9443/tcp` on worker nodes, or change the existing rule that allows access to port `80/tcp`, `443/tcp` and `10254/tcp` to also allow access to port `9443/tcp`. More information can be found in the [Official GCP Documentation](https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#config-hc-firewall). See the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) on adding rules and the [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/79739) for more detail.
72+
7173
The Operator does examine the configuration file to discover configured receivers and their ports. If it finds receivers with ports, it creates a pair of kubernetes services, one headless, exposing those ports within the cluster. The headless service contains a `service.beta.openshift.io/serving-cert-secret-name` annotation that will cause OpenShift to create a secret containing a certificate and key. This secret can be mounted as a volume and the certificate and key used in those receivers' TLS configurations.
7274

7375
### Upgrades
@@ -311,8 +313,11 @@ The possible values for the annotation can be
311313
* `"my-other-namespace/my-instrumentation"` - name and namespace of `Instrumentation` CR instance in another namespace.
312314
* `"false"` - do not inject
313315

316+
>**Note:** For `DotNet` auto-instrumentation, by default, operator sets the `OTEL_DOTNET_AUTO_TRACES_ENABLED_INSTRUMENTATIONS` environment variable which specifies the list of traces source instrumentations you want to enable. The value that is set by default by the operator is all available instrumentations supported by the `openTelemery-dotnet-instrumentation` release consumed in the image, i.e. `AspNet,HttpClient,SqlClient`. This value can be overriden by configuring the environment variable explicitely.
317+
314318
#### Multi-container pods with single instrumentation
315319

320+
316321
If nothing else is specified, instrumentation is performed on the first container available in the pod spec.
317322
In some cases (for example in the case of the injection of an Istio sidecar) it becomes necessary to specify on which container(s) this injection must be performed.
318323

0 commit comments

Comments
 (0)