[TRACING-5064] Add a suitable k8sattributesprocessor into "Example ClusterRole" in the doc - Red Hat Issue Tracker

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: documentation, Tempo
Labels:
None

Story Points:
1
Blocked:
False
Blocked Reason:
None
Ready:
False
Git Pull Request:
https://github.com/openshift/openshift-docs/pull/89387
Intelligence Requested:
Market:

Sprint:
Tracing Sprint # 267 - Release

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

The following is shown as `Example ClusterRole` in `2. Create a cluster role for the service account` in doc[1]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: otel-collector
rules:
  (1)
  (2)
- apiGroups: ["", "config.openshift.io"]
  resources: ["pods", "namespaces", "infrastructures", "infrastructures/status"]
  verbs: ["get", "watch", "list"]
  
(1) The k8sattributesprocessor requires permissions for pods and namespaces resources.
(2) The resourcedetectionprocessor requires permissions for infrastructures and status.

When we run `3. Bind the cluster role to the service account` and `4. Create the YAML file to define the OpenTelemetryCollector custom resource (CR)`, and we get the following error.

W1212 XX:XX:XX.XXXXXXX   1 reflector.go:561] k8s.io/client-go@v0.31.2/tools/cache/reflector.go:243: failed to list *v1.ReplicaSet: replicasets.apps is forbidden: User   "system:serviceaccount:tel:otel-collector-deployment" cannot list resource "replicasets" in API group "apps" at the cluster scope
E1212 XX:XX:XX.XXXXXX    1 reflector.go:158] "Unhandled Error" err="k8s.io/client-go@v0.31.2/tools/cache/reflector.go:243: Failed to watch *v1.ReplicaSet: failed to list *v1.ReplicaSet:   replicasets.apps is forbidden: User \"system:serviceaccount:tel:otel-collector-deployment\" cannot list resource \"replicasets\" in API group \"apps\" at the cluster scope"   logger="UnhandledError"

Does this mean that at least the following are necessary as specific example of (1)?

- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["get", "list", "watch"]

I think [2] and [3] are related fixes on this issue.

[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/red_hat_build_of_opentelemetry/otel-forwarding-telemetry-data#otel-forwarding-traces_otel-forwarding-telemetry-data

[2] https://github.com/open-telemetry/opentelemetry-operator/issues/2823

[3] https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/23013

is documented by

OBSDOCS-1738 [urgent][TRACING-5064] Add a suitable k8sattributesprocessor to ClusterRole example

Review

OBSDOCS-1648 [TRACING-5064] Add a suitable k8sattributesprocessor into "Example ClusterRole" in the doc

Closed

links to

openshift/openshift-docs#89387: TRACING-5064 | RHOSDT (any version), fix RBAC for k8sattribute processor

Assignee:: Pavol Loffay

Reporter:: Hideshi Fukumoto

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/12/24 9:23 AM

Updated:: 2025/03/03 9:44 AM

Resolved:: 2025/02/28 5:08 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates