Missing create/delete verbs on default instrumentations role

[Allex1]

Deployed operator 0.61.0 on a multi tenant Kubernetes cluster where I am able to use the default roles provided and I cannot create an otelinst resource in my ns.
I've used the helm chart to deploy the operator in my ns which seems to have the exact same role defined.
This is not the case for the otelcol resource which works fine.

Error from server (Forbidden): error when creating "otel-instrumentation.yaml": instrumentations.opentelemetry.io is forbidden: User "xxxZZZ" cannot create resource "instrumentations" in API group "opentelemetry.io" in the namespace "myNS"

❯ kubectl auth can-i create otelinst -n myNS
no
❯ kubectl auth can-i create otelcol -n myNS
yes
❯ kubectl auth can-i delete otelinst -n myNS
no
❯ kubectl auth can-i delete otelcol -n myNS
yes

Am I missing something or should we update the default roles to include these verbs in both the operator and helm repos?

[pavolloffay]

The link you provided https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L138 defines roles for the OTEL operator.

The logs in the comment show that your user cannot delete the instrumentation which seems like a different issue.

[Allex1]

@pavolloffay As mentioned above, my user has the exact same roles as the otel operator (+ some others, but not cluster admin).

Eg for the actual service-account that the operator is provisioned with:

❯ kubectl auth can-i create otelinst --as=system:serviceaccount:myNS:oteloperator-controller-manager -n myNS
no
❯ kubectl auth can-i create otelcol --as=system:serviceaccount:myNS:oteloperator-controller-manager -n myNS
yes

I don't understand why there is a difference in the roles for the 2 resources.

[damemi]

Does the operator create any Instrumentations? I don't see why it would need that role (not sure why it has create for Collectors either). In that case your user shouldn't be re-using the operator's roles

[pavolloffay]

The operator does not create/delete any OTEL CRs.

[Allex1]

Does the operator create any Instrumentations? I don't see why it would need that role (not sure why it has create for Collectors either). In that case your user shouldn't be re-using the operator's roles

Makes sense. Thanks. I was thrown off by the fact that the operator can create the collector cr.

[damemi]

The operator does not create/delete any OTEL CRs.

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

[Allex1]

The operator does not create/delete any OTEL CRs.

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

I can do that both here and in the helm repo once we get confirmation.

[pavolloffay]

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

We can try, maybe some of the upgrade routines might delete the CR but I am not sure.

[pavolloffay]

@Allex1 can we close this issue?

[Allex1]

@pavolloffay closing. Thanks