Skip to content

Commit

Permalink
Add automatic RBAC creation for k8scluster receiver (open-telemetry#3428
Browse files Browse the repository at this point in the history
)

Signed-off-by: Israel Blancas <iblancas@redhat.com>
  • Loading branch information
Israel Blancas authored Nov 23, 2024
1 parent 9a5a8ce commit 5e35dbb
Show file tree
Hide file tree
Showing 12 changed files with 491 additions and 1 deletion.
16 changes: 16 additions & 0 deletions .chloggen/3427.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
component: collector

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Create RBAC rules for the k8s_cluster receiver automatically.

# One or more tracking issues related to the change
issues: [3427]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ add-rbac-permissions-to-operator: manifests kustomize
# This folder is ignored by .gitignore
mkdir -p config/rbac/extra-permissions-operator
cp -r tests/e2e-automatic-rbac/extra-permissions-operator/* config/rbac/extra-permissions-operator
cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/clusterresourcequotas.yaml
cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/cronjobs.yaml
cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/daemonsets.yaml
cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/events.yaml
Expand Down
3 changes: 3 additions & 0 deletions internal/components/receivers/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ var (
components.NewBuilder[k8seventsConfig]().WithName("k8s_events").
WithRbacGen(generatek8seventsRbacRules).
MustBuild(),
components.NewBuilder[k8sclusterConfig]().WithName("k8s_cluster").
WithRbacGen(generatek8sclusterRbacRules).
MustBuild(),
components.NewBuilder[k8sobjectsConfig]().WithName("k8sobjects").
WithRbacGen(generatek8sobjectsRbacRules).
MustBuild(),
Expand Down
87 changes: 87 additions & 0 deletions internal/components/receivers/k8scluster.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
// Copyright The OpenTelemetry Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package receivers

import (
"github.com/go-logr/logr"
rbacv1 "k8s.io/api/rbac/v1"
)

type k8sclusterConfig struct {
Distribution string `mapstructure:"distribution"`
}

func generatek8sclusterRbacRules(_ logr.Logger, cfg k8sclusterConfig) ([]rbacv1.PolicyRule, error) {
policyRules := []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{
"events",
"namespaces",
"namespaces/status",
"nodes",
"nodes/spec",
"pods",
"pods/status",
"replicationcontrollers",
"replicationcontrollers/status",
"resourcequotas",
"services",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"apps"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
"statefulsets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"extensions"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"batch"},
Resources: []string{
"jobs",
"cronjobs",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"autoscaling"},
Resources: []string{"horizontalpodautoscalers"},
Verbs: []string{"get", "list", "watch"},
},
}

if cfg.Distribution == "openshift" {
policyRules = append(policyRules, rbacv1.PolicyRule{
APIGroups: []string{"quota.openshift.io"},
Resources: []string{"clusterresourcequotas"},
Verbs: []string{"get", "list", "watch"},
})
}
return policyRules, nil
}
164 changes: 164 additions & 0 deletions internal/components/receivers/k8scluster_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
// Copyright The OpenTelemetry Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package receivers

import (
"testing"

"github.com/go-logr/logr"
"github.com/stretchr/testify/assert"
rbacv1 "k8s.io/api/rbac/v1"
)

func Test_generatek8sclusterRbacRules(t *testing.T) {
tests := []struct {
name string
cfg k8sclusterConfig
want []rbacv1.PolicyRule
wantErr bool
}{
{
name: "default configuration",
cfg: k8sclusterConfig{},
want: []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{
"events",
"namespaces",
"namespaces/status",
"nodes",
"nodes/spec",
"pods",
"pods/status",
"replicationcontrollers",
"replicationcontrollers/status",
"resourcequotas",
"services",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"apps"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
"statefulsets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"extensions"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"batch"},
Resources: []string{
"jobs",
"cronjobs",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"autoscaling"},
Resources: []string{"horizontalpodautoscalers"},
Verbs: []string{"get", "list", "watch"},
},
},
wantErr: false,
},
{
name: "openshift configuration",
cfg: k8sclusterConfig{
Distribution: "openshift",
},
want: []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{
"events",
"namespaces",
"namespaces/status",
"nodes",
"nodes/spec",
"pods",
"pods/status",
"replicationcontrollers",
"replicationcontrollers/status",
"resourcequotas",
"services",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"apps"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
"statefulsets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"extensions"},
Resources: []string{
"daemonsets",
"deployments",
"replicasets",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"batch"},
Resources: []string{
"jobs",
"cronjobs",
},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"autoscaling"},
Resources: []string{"horizontalpodautoscalers"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"quota.openshift.io"},
Resources: []string{"clusterresourcequotas"},
Verbs: []string{"get", "list", "watch"},
},
},
wantErr: false,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := generatek8sclusterRbacRules(logr.Discard(), tt.cfg)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,6 @@ func TestDownstreamParsers(t *testing.T) {
{"awsxray", "awsxray", "__awsxray", 2000, false},
{"tcplog", "tcplog", "__tcplog", 0, true},
{"udplog", "udplog", "__udplog", 0, true},
{"k8s_cluster", "k8s_cluster", "__k8s_cluster", 0, false},
} {
t.Run(tt.receiverName, func(t *testing.T) {
t.Run("builds successfully", func(t *testing.T) {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- op: add
path: /rules/-
value:
apiGroups:
- quota.openshift.io
resources:
- clusterresourcequotas
verbs:
- get
- list
- watch
4 changes: 4 additions & 0 deletions tests/e2e-automatic-rbac/receiver-k8scluster/00-install.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: chainsaw-k8s-cluster
80 changes: 80 additions & 0 deletions tests/e2e-automatic-rbac/receiver-k8scluster/01-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: simplest-chainsaw-k8s-cluster-cluster-role
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- namespaces/status
- nodes
- nodes/spec
- pods
- pods/status
- replicationcontrollers
- replicationcontrollers/status
- resourcequotas
- services
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: opentelemetry-collector
app.kubernetes.io/instance: chainsaw-k8s-cluster.simplest
app.kubernetes.io/managed-by: opentelemetry-operator
app.kubernetes.io/name: simplest-chainsaw-k8s-cluster-collector
app.kubernetes.io/part-of: opentelemetry
name: simplest-chainsaw-k8s-cluster-collector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: simplest-chainsaw-k8s-cluster-cluster-role
subjects:
- kind: ServiceAccount
name: simplest-collector
namespace: chainsaw-k8s-cluster
Loading

0 comments on commit 5e35dbb

Please sign in to comment.