You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's currently not possible to deploy the TA without cluster-wide
permisisons.
This change introduces a new env variable to the TA, WATCH_NAMESPACE,
which allows for specifying which namespaces to watch. This approach is
similar to how the opentelemetry-operator can be scoped to watch a
single namespace.
This does mean that cluster-wide resource like node metrics (cAdvisor)
are no longer accessible, but this is acceptable since we only want the
TA to know about targets that exist a specific namespaces.
Fixes: #3086
Signed-off-by: Charlie Le <[email protected]>
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
2
+
change_type: enhancement
3
+
4
+
# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
5
+
component: target allocator
6
+
7
+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
8
+
note: |
9
+
Add support for `WATCH_NAMESPACE` environment variable in the target allocator.
10
+
11
+
# One or more tracking issues related to the change
12
+
issues: [3086]
13
+
14
+
# (Optional) One or more lines of additional information to render under the primary note.
15
+
# These lines will be padded with 2 spaces and then inserted directly into the document.
16
+
# Use pipe (|) for multiline entries.
17
+
subtext: |
18
+
This variable can be set to an empty string to watch all namespaces, or to a comma-separated list of namespaces to watch.
Before the TargetAllocator can start scraping, you need to set up Kubernetes RBAC (role-based access controls) resources. This means that you need to have a `ServiceAccount` and corresponding cluster roles so that the TargetAllocator has access to all of the necessary resources to pull metrics from.
194
+
Before the TargetAllocator can start scraping, you need to set up Kubernetes RBAC (role-based access controls) resources. This means that you need to have a `ServiceAccount` and corresponding ClusterRoles/Roles so that the TargetAllocator has access to all the necessary resources to pull metrics from.
195
195
196
-
You can create your own `ServiceAccount`, and reference it in `spec.targetAllocator.serviceAccount` in your `OpenTelemetryCollector` CR. You’ll then need to configure the `ClusterRole` and `ClusterRoleBinding` for this `ServiceAccount`, as per below.
196
+
You can create your own `ServiceAccount`, and reference it in `spec.targetAllocator.serviceAccount` in your `OpenTelemetryCollector` CR. You’ll then need to configure the `ClusterRole` and `ClusterRoleBinding` or `Role` and `RoleBinding` for this `ServiceAccount`, as per below.
197
+
198
+
#### Cluster-scoped RBAC
197
199
198
200
```yaml
199
201
targetAllocator:
@@ -204,11 +206,11 @@ You can create your own `ServiceAccount`, and reference it in `spec.targetAlloca
204
206
```
205
207
206
208
> 🚨 **Note**: The Collector part of this same CR *also* has a serviceAccount key which only affects the collector and *not*
207
-
the TargetAllocator.
209
+
> the TargetAllocator.
208
210
209
-
If you omit the `ServiceAccount` name, the TargetAllocator creates a `ServiceAccount` for you. The `ServiceAccount`’s default name is a concatenation of the Collector name and the `-targetallocator` suffix. By default, this `ServiceAccount` has no defined policy, so you’ll need to create your own `ClusterRole` and `ClusterRoleBinding` for it, as per below.
211
+
If you omit the `ServiceAccount` name, the TargetAllocator creates a `ServiceAccount` for you. The `ServiceAccount`’s default name is a concatenation of the Collector name and the `-targetallocator` suffix. By default, this `ServiceAccount` has no defined policy, so you’ll need to create your own `ClusterRole` and `ClusterRoleBinding` or `Role` and `RoleBinding` for it, as per below.
210
212
211
-
The role below will provide the minimum access required for the Target Allocator to query all the targets it needs based on any Prometheus configurations:
213
+
The ClusterRole below will provide the minimum access required for the Target Allocator to query all the targets it needs based on any Prometheus configurations:
212
214
213
215
```yaml
214
216
apiVersion: rbac.authorization.k8s.io/v1
@@ -242,7 +244,7 @@ rules:
242
244
verbs: ["get"]
243
245
```
244
246
245
-
If you enable the the `prometheusCR` (set `spec.targetAllocator.prometheusCR.enabled` to `true`) in the `OpenTelemetryCollector` CR, you will also need to define the following roles. These give the TargetAllocator access to the `PodMonitor` and `ServiceMonitor` CRs. It also gives namespace access to the `PodMonitor` and `ServiceMonitor`.
247
+
If you enable the `prometheusCR` (set `spec.targetAllocator.prometheusCR.enabled` to `true`) in the `OpenTelemetryCollector` CR, you will also need to define the following ClusterRoles. These give the TargetAllocator access to the `PodMonitor` and `ServiceMonitor` CRs. It also gives namespace access to the `PodMonitor` and `ServiceMonitor`.
246
248
247
249
```yaml
248
250
apiVersion: rbac.authorization.k8s.io/v1
@@ -263,8 +265,83 @@ rules:
263
265
verbs: ["get", "list", "watch"]
264
266
```
265
267
266
-
> ✨ The above roles can be combined into a single role.
268
+
> ✨ The above ClusterRoles can be combined into a single ClusterRole.
269
+
270
+
#### Namespace-scoped RBAC
271
+
272
+
If you want to have the TargetAllocator watch a specific namespace, you can set the WATCH_NAMESPACE environment variable
273
+
in the TargetAllocator's deployment. This is useful if you want to restrict the TargetAllocator to only watch Prometheus
274
+
CRs in a specific namespace, and not have cluster-wide access.
275
+
276
+
```yaml
277
+
targetAllocator:
278
+
enabled: true
279
+
serviceAccount: opentelemetry-targetallocator-sa
280
+
prometheusCR:
281
+
enabled: true
282
+
env:
283
+
- name: WATCH_NAMESPACE
284
+
value: "foo"
285
+
```
286
+
287
+
In this case, you will need to create a Role and RoleBinding instead of a ClusterRole and ClusterRoleBinding. The Role
288
+
and RoleBinding should be created in the namespace specified in the WATCH_NAMESPACE environment variable.
267
289
290
+
```yaml
291
+
apiVersion: rbac.authorization.k8s.io/v1
292
+
kind: Role
293
+
metadata:
294
+
name: opentelemetry-targetallocator-role
295
+
rules:
296
+
- apiGroups:
297
+
- ""
298
+
resources:
299
+
- pods
300
+
- services
301
+
- endpoints
302
+
- configmaps
303
+
- secrets
304
+
- namespaces
305
+
verbs:
306
+
- get
307
+
- watch
308
+
- list
309
+
- apiGroups:
310
+
- apps
311
+
resources:
312
+
- statefulsets
313
+
verbs:
314
+
- get
315
+
- watch
316
+
- list
317
+
- apiGroups:
318
+
- discovery.k8s.io
319
+
resources:
320
+
- endpointslices
321
+
verbs:
322
+
- get
323
+
- watch
324
+
- list
325
+
- apiGroups:
326
+
- networking.k8s.io
327
+
resources:
328
+
- ingresses
329
+
verbs:
330
+
- get
331
+
- watch
332
+
- list
333
+
- apiGroups:
334
+
- monitoring.coreos.com
335
+
resources:
336
+
- servicemonitors
337
+
- podmonitors
338
+
- scrapeconfigs
339
+
- probes
340
+
verbs:
341
+
- get
342
+
- watch
343
+
- list
344
+
```
268
345
269
346
### Service / Pod monitor endpoint credentials
270
347
@@ -420,4 +497,3 @@ Shards the received targets based on the discovered Collector instances
420
497
421
498
### Collector
422
499
Client to watch for deployed Collector instances which will then provided to the Allocator.
factory:=informers.NewMonitoringInformerFactories(map[string]struct{}{v1.NamespaceAll: {}}, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces
57
+
// Check env var for WATCH_NAMESPACE and use it if its set, else use v1.NamespaceAll
58
+
// This is to allow the operator to watch only a specific namespace
logger.Info("the env var WATCH_NAMESPACE isn't set, watching all namespaces")
69
+
}
70
+
71
+
factory:=informers.NewMonitoringInformerFactories(allowList, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces
0 commit comments