You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's currently not possible to deploy the TA without cluster-wide
permisisons.
This change introduces a new env variable to the TA, WATCH_NAMESPACE,
which allows for specifying which namespaces to watch. This approach is
similar to how the opentelemetry-operator can be scoped to watch a
single namespace.
This does mean that cluster-wide resource like node metrics (cAdvisor)
are no longer accessible, but this is acceptable since we only want the
TA to know about targets that exist a specific namespaces.
Fixes: #3086
Signed-off-by: Charlie Le <[email protected]>
Before the TargetAllocator can start scraping, you need to set up Kubernetes RBAC (role-based access controls) resources. This means that you need to have a `ServiceAccount` and corresponding cluster roles so that the TargetAllocator has access to all of the necessary resources to pull metrics from.
183
+
Before the TargetAllocator can start scraping, you need to set up Kubernetes RBAC (role-based access controls) resources. This means that you need to have a `ServiceAccount` and corresponding ClusterRoles/Roles so that the TargetAllocator has access to all the necessary resources to pull metrics from.
184
184
185
-
You can create your own `ServiceAccount`, and reference it in `spec.targetAllocator.serviceAccount` in your `OpenTelemetryCollector` CR. You’ll then need to configure the `ClusterRole` and `ClusterRoleBinding` for this `ServiceAccount`, as per below.
185
+
You can create your own `ServiceAccount`, and reference it in `spec.targetAllocator.serviceAccount` in your `OpenTelemetryCollector` CR. You’ll then need to configure the `ClusterRole` and `ClusterRoleBinding` or `Role` and `RoleBinding` for this `ServiceAccount`, as per below.
186
+
187
+
#### Cluster-scoped RBAC
186
188
187
189
```yaml
188
190
targetAllocator:
@@ -193,11 +195,11 @@ You can create your own `ServiceAccount`, and reference it in `spec.targetAlloca
193
195
```
194
196
195
197
> 🚨 **Note**: The Collector part of this same CR *also* has a serviceAccount key which only affects the collector and *not*
196
-
the TargetAllocator.
198
+
> the TargetAllocator.
197
199
198
-
If you omit the `ServiceAccount` name, the TargetAllocator creates a `ServiceAccount` for you. The `ServiceAccount`’s default name is a concatenation of the Collector name and the `-targetallocator` suffix. By default, this `ServiceAccount` has no defined policy, so you’ll need to create your own `ClusterRole` and `ClusterRoleBinding` for it, as per below.
200
+
If you omit the `ServiceAccount` name, the TargetAllocator creates a `ServiceAccount` for you. The `ServiceAccount`’s default name is a concatenation of the Collector name and the `-targetallocator` suffix. By default, this `ServiceAccount` has no defined policy, so you’ll need to create your own `ClusterRole` and `ClusterRoleBinding` or `Role` and `RoleBinding` for it, as per below.
199
201
200
-
The role below will provide the minimum access required for the Target Allocator to query all the targets it needs based on any Prometheus configurations:
202
+
The ClusterRole below will provide the minimum access required for the Target Allocator to query all the targets it needs based on any Prometheus configurations:
201
203
202
204
```yaml
203
205
apiVersion: rbac.authorization.k8s.io/v1
@@ -231,7 +233,7 @@ rules:
231
233
verbs: ["get"]
232
234
```
233
235
234
-
If you enable the the `prometheusCR` (set `spec.targetAllocator.prometheusCR.enabled` to `true`) in the `OpenTelemetryCollector` CR, you will also need to define the following roles. These give the TargetAllocator access to the `PodMonitor` and `ServiceMonitor` CRs. It also gives namespace access to the `PodMonitor` and `ServiceMonitor`.
236
+
If you enable the `prometheusCR` (set `spec.targetAllocator.prometheusCR.enabled` to `true`) in the `OpenTelemetryCollector` CR, you will also need to define the following ClusterRoles. These give the TargetAllocator access to the `PodMonitor` and `ServiceMonitor` CRs. It also gives namespace access to the `PodMonitor` and `ServiceMonitor`.
235
237
236
238
```yaml
237
239
apiVersion: rbac.authorization.k8s.io/v1
@@ -252,8 +254,83 @@ rules:
252
254
verbs: ["get", "list", "watch"]
253
255
```
254
256
255
-
> ✨ The above roles can be combined into a single role.
257
+
> ✨ The above ClusterRoles can be combined into a single ClusterRole.
258
+
259
+
#### Namespace-scoped RBAC
260
+
261
+
If you want to have the TargetAllocator watch a specific namespace, you can set the WATCH_NAMESPACE environment variable
262
+
in the TargetAllocator's deployment. This is useful if you want to restrict the TargetAllocator to only watch Prometheus
263
+
CRs in a specific namespace, and not have cluster-wide access.
264
+
265
+
```yaml
266
+
targetAllocator:
267
+
enabled: true
268
+
serviceAccount: opentelemetry-targetallocator-sa
269
+
prometheusCR:
270
+
enabled: true
271
+
env:
272
+
- name: WATCH_NAMESPACE
273
+
value: "foo"
274
+
```
275
+
276
+
In this case, you will need to create a Role and RoleBinding instead of a ClusterRole and ClusterRoleBinding. The Role
277
+
and RoleBinding should be created in the namespace specified in the WATCH_NAMESPACE environment variable.
256
278
279
+
```yaml
280
+
apiVersion: rbac.authorization.k8s.io/v1
281
+
kind: Role
282
+
metadata:
283
+
name: opentelemetry-targetallocator-role
284
+
rules:
285
+
- apiGroups:
286
+
- ""
287
+
resources:
288
+
- pods
289
+
- services
290
+
- endpoints
291
+
- configmaps
292
+
- secrets
293
+
- namespaces
294
+
verbs:
295
+
- get
296
+
- watch
297
+
- list
298
+
- apiGroups:
299
+
- apps
300
+
resources:
301
+
- statefulsets
302
+
verbs:
303
+
- get
304
+
- watch
305
+
- list
306
+
- apiGroups:
307
+
- discovery.k8s.io
308
+
resources:
309
+
- endpointslices
310
+
verbs:
311
+
- get
312
+
- watch
313
+
- list
314
+
- apiGroups:
315
+
- networking.k8s.io
316
+
resources:
317
+
- ingresses
318
+
verbs:
319
+
- get
320
+
- watch
321
+
- list
322
+
- apiGroups:
323
+
- monitoring.coreos.com
324
+
resources:
325
+
- servicemonitors
326
+
- podmonitors
327
+
- scrapeconfigs
328
+
- probes
329
+
verbs:
330
+
- get
331
+
- watch
332
+
- list
333
+
```
257
334
258
335
### Service / Pod monitor endpoint credentials
259
336
@@ -409,4 +486,3 @@ Shards the received targets based on the discovered Collector instances
409
486
410
487
### Collector
411
488
Client to watch for deployed Collector instances which will then provided to the Allocator.
factory:=informers.NewMonitoringInformerFactories(map[string]struct{}{v1.NamespaceAll: {}}, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces
57
+
// Check env var for WATCH_NAMESPACE and use it if its set, else use v1.NamespaceAll
58
+
// This is to allow the operator to watch only a specific namespace
logger.Info("the env var WATCH_NAMESPACE isn't set, watching all namespaces")
69
+
}
70
+
71
+
factory:=informers.NewMonitoringInformerFactories(allowList, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces
0 commit comments