[processor/k8sattributes] Retrieve pods at the namespace scope #14742
Comments
edenkoveshi
added
enhancement
evan-bradley
added
priority:p2
|
Pinging code owners: @owais @dmitryax. See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
Hi @edenkoveshi, I have a few questions if you don't mind:
I appreciate if you can elaborate a little bit. I am recently getting into OpenTelemetry, and would like to start contributing, it would help me if you can explain me what you need with more details. |
|
From the documentation I want to achieve the same thing (I only want some labels actually but it doesn't really matter) but not for pods in the entire cluster, only from selected namespaces, and use namespaced RoleBindings to avoid over-priveliging Edit: This really can be summed up to changing the API call to include namespaces |
|
@edenkoveshi thanks, this explains everything I needed to understand. I will fiddle with it and will let you know if I end up creating a PR to address this (unless someone who is already member picks it up before that). Cheers! |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
I think is issue is ready to be implemented, since k8sattributeprocessor e2e is enabled? |
|
Yes, I think it should be good to go with this enhancement |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
This feature would be benefical to our multi-tenant k8s cluster as it provides segregation between namespaces. It would enable each tenant to deploy an OpenTelemetry Collector in their own namespace without the need for cluster scoped RBAC (allowing the service account access to other namespaces). I hope it can be added. Thanks! |
|
@pgoringe, thanks for your comment. @edenkoveshi @pgoringe @fatsheep9146, are any of you interested in implementing this feature? Any help is appreciated. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
I was able to run the Collector within a namespace on an older release (v0.74.0), but after upgrading to the latest version I'm seeing errors in the log about: "failed to list *v1.Namespace: namespaces "kube-system" is forbidden. User "***" cannot list resource "namespaces" in API group "" at the cluster scope I think there is a regression in v0.83.0, possibly caused by the change to add k8s.cluster.uid |
|
Yeah, the Regarding the original ask, once the aforementioned issue is fixed, users can indeed use the processor with Rolebinding to extract labels/annotations for pods running in the collector's namespace only. You need to set the namespace filter for this. One caveat here, even with the namespace filter set, the processor currently cannot extract metadata from the namespace (doesn't seem to pass the filter when ns is queried). I think the issue should be updated to fix this. Ideally, the processor when run with the |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
any news on this ?, would be great, as we're facing the same issue, (cluster-scoped access). thanks! cc @jinja2 @dmitryax @rmfitzpatrick @fatsheep9146 @TylerHelmuth |
|
@hkailantzis this one fell off my radar, but I should be able to look into this next week |
|
Adding interest in this, I have the same issue where my cluster is shared between teams and we use namespaces to isolate things, it would be great if we could scope the processor to just a namespace. |
|
Hi @jinja2 , are there any updates on this ? Is there something else blocking it ? Thanks in advance. :). |
|
There is a PR open, hopefully it'll make it in in 0.97 release. |
**Description:** This PR allows running the k8sattributes processor with a k8s role/rolebinding. This can be useful for k8s users w/o access to create clusterroles and want to enrich pods' telemetry within the scope of a namespace only. The PR also adds more comprehensive e2e tests including tests for different RBAC use cases to ensure any changes going forward do not introduce RBAC incompatibility. **Link to tracking Issue:** #14742 **Testing:** Added e2e tests **Documentation:** <Describe the documentation added.> Updated README
…elemetry#31673) **Description:** This PR allows running the k8sattributes processor with a k8s role/rolebinding. This can be useful for k8s users w/o access to create clusterroles and want to enrich pods' telemetry within the scope of a namespace only. The PR also adds more comprehensive e2e tests including tests for different RBAC use cases to ensure any changes going forward do not introduce RBAC incompatibility. **Link to tracking Issue:** open-telemetry#14742 **Testing:** Added e2e tests **Documentation:** <Describe the documentation added.> Updated README
…elemetry#31673) **Description:** This PR allows running the k8sattributes processor with a k8s role/rolebinding. This can be useful for k8s users w/o access to create clusterroles and want to enrich pods' telemetry within the scope of a namespace only. The PR also adds more comprehensive e2e tests including tests for different RBAC use cases to ensure any changes going forward do not introduce RBAC incompatibility. **Link to tracking Issue:** open-telemetry#14742 **Testing:** Added e2e tests **Documentation:** <Describe the documentation added.> Updated README
|
OK to close as the PR is now merged? |
Is your feature request related to a problem? Please describe.
I want to extract attributes from pods in a single namespace, and I don't really need a cluster role binding for that
What I want is to extract pods attributes with a namespace RoleBinding
Should be quite easy
I can help implementing this if needed
Describe the solution you'd like
Change the Kubernetes client to fetch items at the namespace level if namespace is defined
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: