Add automatic RBAC creation for k8scluster receiver

Signed-off-by: Israel Blancas <[email protected]>

Author: Israel Blancas

.chloggen/3427.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Create RBAC rules for the k8s_cluster receiver automatically.
+
+# One or more tracking issues related to the change
+issues: [3427]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

Makefile

@@ -206,6 +206,7 @@ add-rbac-permissions-to-operator: manifests kustomize
 	# This folder is ignored by .gitignore
 	mkdir -p config/rbac/extra-permissions-operator
 	cp -r tests/e2e-automatic-rbac/extra-permissions-operator/* config/rbac/extra-permissions-operator
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/clusterresourcequotas.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/cronjobs.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/daemonsets.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/events.yaml

internal/components/receivers/helpers.go

@@ -143,6 +143,9 @@ var (
 		components.NewBuilder[k8seventsConfig]().WithName("k8s_events").
 			WithRbacGen(generatek8seventsRbacRules).
 			MustBuild(),
+		components.NewBuilder[k8sclusterConfig]().WithName("k8s_cluster").
+			WithRbacGen(generatek8sclusterRbacRules).
+			MustBuild(),
 		NewScraperParser("prometheus"),
 		NewScraperParser("sshcheck"),
 		NewScraperParser("cloudfoundry"),

internal/components/receivers/k8scluster.go

@@ -0,0 +1,87 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package receivers
+
+import (
+	"github.com/go-logr/logr"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+type k8sclusterConfig struct {
+	Distribution string `mapstructure:"distribution"`
+}
+
+func generatek8sclusterRbacRules(_ logr.Logger, cfg k8sclusterConfig) ([]rbacv1.PolicyRule, error) {
+	policyRules := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"events",
+				"namespaces",
+				"namespaces/status",
+				"nodes",
+				"nodes/spec",
+				"pods",
+				"pods/status",
+				"replicationcontrollers",
+				"replicationcontrollers/status",
+				"resourcequotas",
+				"services",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{
+				"daemonsets",
+				"deployments",
+				"replicasets",
+				"statefulsets",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"extensions"},
+			Resources: []string{
+				"daemonsets",
+				"deployments",
+				"replicasets",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"batch"},
+			Resources: []string{
+				"jobs",
+				"cronjobs",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"autoscaling"},
+			Resources: []string{"horizontalpodautoscalers"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+	}
+
+	if cfg.Distribution == "openshift" {
+		policyRules = append(policyRules, rbacv1.PolicyRule{
+			APIGroups: []string{"quota.openshift.io"},
+			Resources: []string{"clusterresourcequotas"},
+			Verbs:     []string{"get", "list", "watch"},
+		})
+	}
+	return policyRules, nil
+}

internal/components/receivers/k8scluster_test.go

@@ -0,0 +1,164 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package receivers
+
+import (
+	"testing"
+
+	"github.com/go-logr/logr"
+	"github.com/stretchr/testify/assert"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+func Test_generatek8sclusterRbacRules(t *testing.T) {
+	tests := []struct {
+		name    string
+		cfg     k8sclusterConfig
+		want    []rbacv1.PolicyRule
+		wantErr bool
+	}{
+		{
+			name: "default configuration",
+			cfg:  k8sclusterConfig{},
+			want: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{
+						"events",
+						"namespaces",
+						"namespaces/status",
+						"nodes",
+						"nodes/spec",
+						"pods",
+						"pods/status",
+						"replicationcontrollers",
+						"replicationcontrollers/status",
+						"resourcequotas",
+						"services",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"apps"},
+					Resources: []string{
+						"daemonsets",
+						"deployments",
+						"replicasets",
+						"statefulsets",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"extensions"},
+					Resources: []string{
+						"daemonsets",
+						"deployments",
+						"replicasets",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"batch"},
+					Resources: []string{
+						"jobs",
+						"cronjobs",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"autoscaling"},
+					Resources: []string{"horizontalpodautoscalers"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "openshift configuration",
+			cfg: k8sclusterConfig{
+				Distribution: "openshift",
+			},
+			want: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{
+						"events",
+						"namespaces",
+						"namespaces/status",
+						"nodes",
+						"nodes/spec",
+						"pods",
+						"pods/status",
+						"replicationcontrollers",
+						"replicationcontrollers/status",
+						"resourcequotas",
+						"services",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"apps"},
+					Resources: []string{
+						"daemonsets",
+						"deployments",
+						"replicasets",
+						"statefulsets",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"extensions"},
+					Resources: []string{
+						"daemonsets",
+						"deployments",
+						"replicasets",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"batch"},
+					Resources: []string{
+						"jobs",
+						"cronjobs",
+					},
+					Verbs: []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"autoscaling"},
+					Resources: []string{"horizontalpodautoscalers"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
+				{
+					APIGroups: []string{"quota.openshift.io"},
+					Resources: []string{"clusterresourcequotas"},
+					Verbs:     []string{"get", "list", "watch"},
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := generatek8sclusterRbacRules(logr.Discard(), tt.cfg)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

internal/components/receivers/single_endpoint_receiver_test.go

@@ -83,7 +83,6 @@ func TestDownstreamParsers(t *testing.T) {
 		{"awsxray", "awsxray", "__awsxray", 2000, false},
 		{"tcplog", "tcplog", "__tcplog", 0, true},
 		{"udplog", "udplog", "__udplog", 0, true},
-		{"k8s_cluster", "k8s_cluster", "__k8s_cluster", 0, false},
 	} {
 		t.Run(tt.receiverName, func(t *testing.T) {
 			t.Run("builds successfully", func(t *testing.T) {

tests/e2e-automatic-rbac/extra-permissions-operator/clusterresourcequotas.yaml

@@ -0,0 +1,11 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - quota.openshift.io
+    resources:
+    - clusterresourcequotas
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/receiver-k8scluster/00-install.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: chainsaw-k8s-cluster

tests/e2e-automatic-rbac/receiver-k8scluster/01-assert.yaml

@@ -0,0 +1,80 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: simplest-chainsaw-k8s-cluster-cluster-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - namespaces
+  - namespaces/status
+  - nodes
+  - nodes/spec
+  - pods
+  - pods/status
+  - replicationcontrollers
+  - replicationcontrollers/status
+  - resourcequotas
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+    - autoscaling
+  resources:
+    - horizontalpodautoscalers
+  verbs:
+    - get
+    - list
+    - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: opentelemetry-collector
+    app.kubernetes.io/instance: chainsaw-k8s-cluster.simplest
+    app.kubernetes.io/managed-by: opentelemetry-operator
+    app.kubernetes.io/name: simplest-chainsaw-k8s-cluster-collector
+    app.kubernetes.io/part-of: opentelemetry
+  name: simplest-chainsaw-k8s-cluster-collector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: simplest-chainsaw-k8s-cluster-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: simplest-collector
+  namespace: chainsaw-k8s-cluster