Allow for scoping TA to watch namespace #3763
Conversation
| factory := informers.NewMonitoringInformerFactories(map[string]struct{}{v1.NamespaceAll: {}}, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces | ||
| // Check env var for WATCH_NAMESPACE and use it if its set, else use v1.NamespaceAll | ||
| // This is to allow the operator to watch only a specific namespace | ||
| watchNamespace, found := os.LookupEnv("WATCH_NAMESPACE") |
There was a problem hiding this comment.
Could we instead add this to the config, allow setting it via the config file, and also this env variable? I'd like to avoid reading environment variables all over the codebase, and instead do all of it in the config package.
There was a problem hiding this comment.
I also wonder if we should follow the namespace selector pattern prometheus (and as a result the TA) uses?
There was a problem hiding this comment.
That is also true. @CharlieTLe could you check out #3573 and see if it would address your need?
There was a problem hiding this comment.
I don’t think it would, I was trying to get the TA to run without the ability to list namespaces so that it wouldn’t require a ClusterRole.
There was a problem hiding this comment.
When
is used here, there’s an assumption that the service account that the TA uses has a cluster role with the permission to list namespaces in the cluster.
There was a problem hiding this comment.
The error that gets printed when the TA attempts to list all namespace without the ClusterRole.
missing list/watch permissions on the 'namespaces' resource: missing "list" permission on resource "namespaces" (group: "") for all namespaces: missing "watch" permission on resource "namespaces" (group: "") for all namespaces
The needed cluster role would look something like this
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ta
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- watch
- list
So the main change in this PR is to not use v1.NamespaceAll so that the TA can run in a namespace-scoped Role when the watch_namespace field is set.
There was a problem hiding this comment.
Allright, I can see this being useful. We like to align these kinds of options with how prometheus-operator does it. There, this is a command-line argument for the operator, which won't work in our case, but we can use the same terminology. So this would be named AllowNamespaces, and we could also add DenyNamespaces to let this set be constrained from the other side. WDYT @jaronoff97 ?
CharlieTLe
force-pushed
the
namespace-ta
branch
from
437d50d to
f9c9f70
Compare
When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a comma-separated list of namespaces for the target allocator to watch. If set to an empty string, it will list all list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty string. - denyNamespaces is a comma-separated list of namespaces for the target allocator to not watch. If set to an empty string, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty string. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>
CharlieTLe
force-pushed
the
namespace-ta
branch
from
f9c9f70 to
0e5d90f
Compare
When the target allocator is configured to watch Prometheus custom
resources in the cluster to discover targets, it is currently hard-coded
to require a ClusterRole with a policy rule of listing namespaces. This
prevents usage in environments where configuring ClusterRoles is not
permitted i.e. in namespace-as-a-service setups where only Roles can be
created.
This change introduces two fields in the prometheusCR specification to
allow configuring the namespaces that can be interacted with by the
target allocator.
allocator to watch. If set to an empty string, it will list all
list all namespaces in the cluster. This is mutually exclusive with
denyNamespaces. Defaults to an empty string.
allocator to not watch. If set to an empty string, it will not exclude
any namespaces. This is mutually exclusive with allowNamespaces.
Defaults to an empty string.
Fixes: #3086