Automate the creation of the permissions needed by k8sattributes.

[iblancasa]

Description:
Continuation of #2394.

Link to tracking Issue: #2395

[TylerHelmuth]

When extracting metadatas from node, the processor needs get, watch and list permissions for nodes resources.

I believe this situation still needs addressed

[iblancasa]

Thanks! I didn´t see that.

[krishnapomar]

@pavolloffay, @TylerHelmuth

With the latest helm charts I am still facing this issue. I've tried creating explicit RBAC roles but still no luck. The collector keeps failing with this error: "E0315 20:53:15.417043 1 reflector.go:147] k8s.io/client-go@v0.29.1/tools/cache/reflector.go:229: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:default:otel-collector-collector" cannot list resource "pods" in API group "" at the cluster scope".

I could see only the 'k8s.pod.ip' tag alone in the traces but not other k8s metadata. Could you please help me here and let me know if I am missing something, thank you.

Following are my config files, FYI I am using mode as Deployment.

---

Kustomisation file

---

---

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:

• collector-config.yaml
  helmCharts:
• name: opentelemetry-operator
  repo: https://open-telemetry.github.io/opentelemetry-helm-charts
  version: "0.49.0"
  releaseName: otel-operator
  namespace: default
  includeCRDs: true
  valuesInline:
  mode: deployment
  admissionWebhooks:
  failurePolicy: Ignore
  certManager:
  enabled: false
  autoGenerateCert:
  enabled: true
  recreate: false
  presets:
  kubernetesAttributes:
  enabled: true
  serviceAccount:
  create: true
  clusterRole:
  create: true

---

Following is my collector-config.yaml file:

---

apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
metadata:
name: otel-collector
spec:
mode: deployment
env:

• name: HONEYCOMB_API_KEY
  value: actual_key
  config: |
  receivers:
  otlp:
  protocols:
  http:
  endpoint: "0.0.0.0:4318"
  grpc:
  endpoint: "0.0.0.0:4317"
  exporters:
  logging:
  verbosity: detailed
  otlp:
  endpoint: "api.honeycomb.io:443"
  headers:
  "x-honeycomb-team" : "${env:HONEYCOMB_API_KEY}"
  processors:
  batch:
  k8sattributes:
  auth_type: 'serviceAccount'
  extract:
  metadata:
  - k8s.pod.name
  - k8s.pod.uid
  - k8s.deployment.name
  - k8s.namespace.name
  - k8s.node.name
  - k8s.pod.start_time
  annotations:
  - tag_name: a1
  key: annotation-one
  from: pod
  - tag_name: a2
  key: annotation-two
  regex: field=(?P.+)
  from: namespace
  labels:
  - tag_name: l1
  key: label1
  from: namespace
  - tag_name: l2
  key: label2
  regex: field=(?P.+)
  from: pod
  pod_association:
  - sources:
  - from: resource_attribute
  name: k8s.pod.ip
  - sources:
  - from: resource_attribute
  name: k8s.pod.uid
  - sources:
  - from: connection
  service:
  pipelines:
  traces:
  receivers: [otlp]
  processors: [k8sattributes, batch]
  exporters: [otlp]

[iblancasa]

@pavolloffay, @TylerHelmuth

With the latest helm charts I am still facing this issue. I've tried creating explicit RBAC roles but still no luck

#2525 removed the permissions the operator needs to create the RBAC for the processors. You need to add them.

[krishnapomar]

Thanks for confirming @iblancasa, will create them and see if that solves my problem.