Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Docker and Kubernetes examples to DoS section #5729

Merged
merged 7 commits into from
Dec 11, 2024
Merged

Add Docker and Kubernetes examples to DoS section #5729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
89169d9
Add docker and k8s examples to DoS section
tiffany76 Dec 5, 2024
b5f9f79
Update collector version with short code
tiffany76 Dec 6, 2024
88a96bd
Add vers to _index.md frontmatter
tiffany76 Dec 6, 2024
402c985
Merge branch 'main' into dos-examples
tiffany76 Dec 6, 2024
348070e
Update `param` identifier
tiffany76 Dec 6, 2024
7d4b146
Update auto-update version script
tiffany76 Dec 7, 2024
c2b116f
Merge branch 'main' into dos-examples
tiffany76 Dec 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions content/en/docs/security/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
---
title: Security
cascade:
collector_vers: 0.115.1
weight: 970
---

Expand Down
127 changes: 123 additions & 4 deletions content/en/docs/security/config-best-practices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,129 @@ addresses so the network functions properly in dual-stack environments and
applications, where both protocol versions are used.

If you are working in environments that have nonstandard networking setups, such
as Docker or Kubernetes, see the
[example configurations](https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks)
in our component developer documentation for ideas on how to bind your component
endpoints.
as Docker or Kubernetes, `localhost` might not work as expected. The following
examples show setups for the OTLP receiver gRPC endpoint. Other Collector
components might need similar configuration.

#### Docker

You can run the Collector in Docker by binding to the correct address. Here is a
`config.yaml` configuration file for an OTLP exporter in Docker:

```yaml
receivers:
otlp:
protocols:
grpc:
endpoint: my-hostname:4317 # Use the same hostname from your docker run command
```

In your `docker run` command, use the `--hostname` argument to bind the
Collector to the `my-hostname` address. You can access the Collector from
outside that Docker network (for example, on a regular program running on the
host) by connecting to `127.0.0.1:4567`. Here is an example `docker run`
command:

```shell
docker run --hostname my-hostname --name container-name -p 127.0.0.1:4567:4317 otel/opentelemetry-collector:{{% param collector_vers %}}
```

#### Docker Compose

Similarly to plain Docker, you can run the Collector in Docker by binding to the
correct address.

The Docker `compose.yaml` file:

```yaml
services:
otel-collector:
image: otel/opentelemetry-collector-contrib:{{% param collector_vers %}}
ports:
- '4567:4317'
```

The Collector `config.yaml` file:

```yaml
receivers:
otlp:
protocols:
grpc:
endpoint: otel-collector:4317 # Use the service name from your Docker compose file
```

You can connect to this Collector from another Docker container running in the
same network by connecting to `otel-collector:4317`. You can access the
Collector from outside that Docker network (for example, on a regular program
running on the host) by connecting to `127.0.0.1:4567`.

#### Kubernetes

If you run the Collector as a `DaemonSet`, you can use a configuration like the
following:

```yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: collector
spec:
selector:
matchLabels:
name: collector
template:
metadata:
labels:
name: collector
spec:
containers:
- name: collector
image: otel/opentelemetry-collector:{{% param collector_vers %}}
ports:
- containerPort: 4317
hostPort: 4317
protocol: TCP
name: otlp-grpc
- containerPort: 4318
hostPort: 4318
protocol: TCP
name: otlp-http
env:
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
```

In this example, you use the
[Kubernetes Downward API](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/)
to get your own Pod IP, then bind to that network interface. Then, we use the
`hostPort` option to ensure that the Collector is exposed on the host. The
Collector's config should look like this:

```yaml
receivers:
otlp:
protocols:
grpc:
endpoint: ${env:MY_POD_IP}:4317
http:
endpoint: ${env:MY_POD_IP}:4318
```

You can send OTLP data to this Collector from any Pod on the Node by accessing
`${MY_HOST_IP}:4317` to send OTLP over gRPC and `${MY_HOST_IP}:4318` to send
OTLP over HTTP, where `MY_HOST_IP` is the Node's IP address. You can get this IP
from the Downward API:

```yaml
env:
- name: MY_HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
```

### Scrub sensitive data

Expand Down
1 change: 1 addition & 0 deletions scripts/auto-update/all-versions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ function auto_update_versions() {
local cmd="./scripts/auto-update/version-in-file.sh"
local updates=(
"opentelemetry-collector-releases vers content/en/docs/collector/_index.md"
"opentelemetry-collector-releases collector_vers content/en/docs/security/_index.md"
"opentelemetry-java otel content/en/docs/languages/java/_index.md"
"opentelemetry-java otel content/en/docs/zero-code/java/_index.md"
"opentelemetry-java-instrumentation instrumentation content/en/docs/languages/java/_index.md"
Expand Down
Loading