Add automatic RBAC creation for k8sevents receiver (#3421)

* Add automatic RBAC creation for k8sevents receiver

Signed-off-by: Israel Blancas <[email protected]>

* Add missing file

Signed-off-by: Israel Blancas <[email protected]>

---------

Signed-off-by: Israel Blancas <[email protected]>

.chloggen/3420.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Create RBAC rules for the k8s_events receiver automatically.
+
+# One or more tracking issues related to the change
+issues: [3420]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

Makefile

@@ -206,12 +206,20 @@ add-rbac-permissions-to-operator: manifests kustomize
 	# This folder is ignored by .gitignore
 	mkdir -p config/rbac/extra-permissions-operator
 	cp -r tests/e2e-automatic-rbac/extra-permissions-operator/* config/rbac/extra-permissions-operator
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/cronjobs.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/daemonsets.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/events.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/extensions.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/namespaces.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/namespaces-status.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes.yaml
-	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes-stats.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes-proxy.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes-spec.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/pod-status.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/rbac.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/replicaset.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/replicationcontrollers.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/resourcequotas.yaml
 
 .PHONY: enable-targetallocator-cr
 enable-targetallocator-cr:

internal/components/receivers/helpers.go

@@ -140,6 +140,9 @@ var (
 			WithRbacGen(generateKubeletStatsRbacRules).
 			WithEnvVarGen(generateKubeletStatsEnvVars).
 			MustBuild(),
+		components.NewBuilder[k8seventsConfig]().WithName("k8s_events").
+			WithRbacGen(generatek8seventsRbacRules).
+			MustBuild(),
 		NewScraperParser("prometheus"),
 		NewScraperParser("sshcheck"),
 		NewScraperParser("cloudfoundry"),

internal/components/receivers/k8sevents.go

@@ -0,0 +1,79 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package receivers
+
+import (
+	"github.com/go-logr/logr"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+type k8seventsConfig struct{}
+
+func generatek8seventsRbacRules(_ logr.Logger, _ k8seventsConfig) ([]rbacv1.PolicyRule, error) {
+	// The k8s Events Receiver needs get permissions on the following resources always.
+	return []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"events",
+				"namespaces",
+				"namespaces/status",
+				"nodes",
+				"nodes/spec",
+				"pods",
+				"pods/status",
+				"replicationcontrollers",
+				"replicationcontrollers/status",
+				"resourcequotas",
+				"services",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{
+				"daemonsets",
+				"deployments",
+				"replicasets",
+				"statefulsets",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"extensions"},
+			Resources: []string{
+				"daemonsets",
+				"deployments",
+				"replicasets",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"batch"},
+			Resources: []string{
+				"jobs",
+				"cronjobs",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"autoscaling"},
+			Resources: []string{
+				"horizontalpodautoscalers",
+			},
+			Verbs: []string{"get", "list", "watch"},
+		},
+	}, nil
+}

tests/e2e-automatic-rbac/extra-permissions-operator/cronjobs.yaml

@@ -0,0 +1,12 @@
+---
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - batch
+    resources:
+    - cronjobs
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/daemonsets.yaml

@@ -0,0 +1,11 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/nodes-stats.yaml → tests/e2e-automatic-rbac/extra-permissions-operator/events.yaml

@@ -1,10 +1,11 @@
----
 - op: add
   path: /rules/-
   value:
     apiGroups:
     - ""
     resources:
-    - nodes/stats
+    - events
     verbs:
     - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/extensions.yaml

@@ -0,0 +1,13 @@
+---
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - extensions
+    resources:
+    - deployments
+    - replicasets
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/namespaces-status.yaml

@@ -0,0 +1,11 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - namespaces/status
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/nodes-proxy.yaml

@@ -5,6 +5,7 @@
     apiGroups:
     - ""
     resources:
+    - nodes/stats
     - nodes/proxy
     verbs:
     - get

tests/e2e-automatic-rbac/extra-permissions-operator/nodes-spec.yaml

@@ -0,0 +1,12 @@
+---
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - nodes/spec
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/nodes.yaml

@@ -10,23 +10,3 @@
     - get
     - list
     - watch
----
-- op: add
-  path: /rules/-
-  value:
-    apiGroups:
-    - ""
-    resources:
-    - nodes/proxy
-    verbs:
-    - get
----
-- op: add
-  path: /rules/-
-  value:
-    apiGroups:
-    - ""
-    resources:
-    - nodes/stats
-    verbs:
-    - get

tests/e2e-automatic-rbac/extra-permissions-operator/pod-status.yaml

@@ -0,0 +1,12 @@
+---
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - pods/status
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/replicationcontrollers.yaml

@@ -0,0 +1,12 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - replicationcontrollers
+    - replicationcontrollers/status
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/extra-permissions-operator/resourcequotas.yaml

@@ -0,0 +1,11 @@
+- op: add
+  path: /rules/-
+  value:
+    apiGroups:
+    - ""
+    resources:
+    - resourcequotas
+    verbs:
+    - get
+    - list
+    - watch

tests/e2e-automatic-rbac/receiver-k8sevents/00-install.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: chainsaw-k8s-events

tests/e2e-automatic-rbac/receiver-k8sevents/01-assert.yaml

@@ -0,0 +1,80 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: simplest-chainsaw-k8s-events-cluster-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - namespaces
+  - namespaces/status
+  - nodes
+  - nodes/spec
+  - pods
+  - pods/status
+  - replicationcontrollers
+  - replicationcontrollers/status
+  - resourcequotas
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+    - autoscaling
+  resources:
+    - horizontalpodautoscalers
+  verbs:
+    - get
+    - list
+    - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: opentelemetry-collector
+    app.kubernetes.io/instance: chainsaw-k8s-events.simplest
+    app.kubernetes.io/managed-by: opentelemetry-operator
+    app.kubernetes.io/name: simplest-chainsaw-k8s-events-collector
+    app.kubernetes.io/part-of: opentelemetry
+  name: simplest-chainsaw-k8s-events-collector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: simplest-chainsaw-k8s-events-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: simplest-collector
+  namespace: chainsaw-k8s-events

tests/e2e-automatic-rbac/receiver-k8sevents/01-install.yaml

@@ -0,0 +1,18 @@
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: simplest
+  namespace: chainsaw-k8s-events
+spec:
+  config: |
+    receivers:
+      k8s_events:
+    processors:
+    exporters:
+      debug:
+    service:
+      pipelines:
+        traces:
+          receivers: [k8s_events]
+          processors: []
+          exporters: [debug]