search

open-telemetry / opentelemetry-helm-charts

OpenTelemetry Helm Charts
https://opentelemetry.io
Apache License 2.0
400 stars 490 forks source link

[operator] operator is attempting to grant RBAC permissions not currently held #1434

Open grandwizard28 opened 11 hours ago

grandwizard28 commented 11 hours ago

Description

The operator starts failing with the following errors::

is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["nodes/proxy"], Verbs:["get"]}
is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["nodes/stats"], Verbs:["get"]}

My guess is this is has something to do with the configuration of my collector:

config:
  extensions:
    k8s_observer/pods:
    health_check:
    file_storage/filelog:
  receivers:
    kubeletstats:
    hostmetrics:
    otlp/grpc:
    receiver_creator/prometheus:
      watch_observers: [k8s_observer/pods]
    receiver_creator/filelog:
      watch_observers: [k8s_observer/pods]
  processors:
    resourcedetection:
      detectors:
        - env
        - gcp
        - k8snode
      k8snode:
        node_from_env_var: K8S_NODE_NAME
        auth_type: serviceAccount
      timeout: 2s
      override: true
    k8sattributes:
      extract:
        metadata:
          - "k8s.namespace.name"
          - "k8s.deployment.name"
          - "k8s.statefulset.name"
          - "k8s.daemonset.name"
          - "k8s.cronjob.name"
          - "k8s.job.name"
          - "k8s.node.name"
          - "k8s.node.uid"
          - "k8s.pod.name"
          - "k8s.pod.uid"
          - "k8s.pod.start_time"
          - "k8s.container.name"
          - "container.image.name"
          - "container.image.tag"
      filter:
        node_from_env_var: K8S_NODE_NAME
      passthrough: false
      pod_association:
        - sources:
          - from: resource_attribute
            name: k8s.pod.ip
        - sources:
          - from: resource_attribute
            name: k8s.pod.uid
        - sources:
          - from: connection

I'm not sure which processor/receiver/extension is asking for these permissions. Can we add these permissions to the helm chart?

The fix is to add the above roles in the clusterrole by running:

kubectl edit clusterrole/opentelemetry-operator-manager

Versions

Helm Chart: 0.74.2 Collector Image: 0.113.0

grandwizard28 commented 11 hours ago

I'm happy to raise a fix for this!