Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing create/delete verbs on default instrumentations role #1202

Closed
Allex1 opened this issue Oct 24, 2022 · 10 comments
Closed

Missing create/delete verbs on default instrumentations role #1202

Allex1 opened this issue Oct 24, 2022 · 10 comments

Comments

@Allex1
Copy link
Contributor

Allex1 commented Oct 24, 2022

Deployed operator 0.61.0 on a multi tenant Kubernetes cluster where I am able to use the default roles provided and I cannot create an otelinst resource in my ns.
I've used the helm chart to deploy the operator in my ns which seems to have the exact same role defined.
This is not the case for the otelcol resource which works fine.

Error from server (Forbidden): error when creating "otel-instrumentation.yaml": instrumentations.opentelemetry.io is forbidden: User "xxxZZZ" cannot create resource "instrumentations" in API group "opentelemetry.io" in the namespace "myNS"

❯ kubectl auth can-i create otelinst -n myNS
no
❯ kubectl auth can-i create otelcol -n myNS
yes
❯ kubectl auth can-i delete otelinst -n myNS
no
❯ kubectl auth can-i delete otelcol -n myNS
yes

Am I missing something or should we update the default roles to include these verbs in both the operator and helm repos?

@pavolloffay
Copy link
Member

The link you provided https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L138 defines roles for the OTEL operator.

The logs in the comment show that your user cannot delete the instrumentation which seems like a different issue.

@Allex1
Copy link
Contributor Author

Allex1 commented Nov 1, 2022

@pavolloffay As mentioned above, my user has the exact same roles as the otel operator (+ some others, but not cluster admin).

Eg for the actual service-account that the operator is provisioned with:

❯ kubectl auth can-i create otelinst --as=system:serviceaccount:myNS:oteloperator-controller-manager -n myNS
no
❯ kubectl auth can-i create otelcol --as=system:serviceaccount:myNS:oteloperator-controller-manager -n myNS
yes

I don't understand why there is a difference in the roles for the 2 resources.

@damemi
Copy link

damemi commented Nov 1, 2022

Does the operator create any Instrumentations? I don't see why it would need that role (not sure why it has create for Collectors either). In that case your user shouldn't be re-using the operator's roles

@pavolloffay
Copy link
Member

The operator does not create/delete any OTEL CRs.

@Allex1
Copy link
Contributor Author

Allex1 commented Nov 1, 2022

Does the operator create any Instrumentations? I don't see why it would need that role (not sure why it has create for Collectors either). In that case your user shouldn't be re-using the operator's roles

Makes sense. Thanks. I was thrown off by the fact that the operator can create the collector cr.

@Allex1 Allex1 closed this as completed Nov 1, 2022
@damemi
Copy link

damemi commented Nov 1, 2022

The operator does not create/delete any OTEL CRs.

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

@Allex1
Copy link
Contributor Author

Allex1 commented Nov 1, 2022

The operator does not create/delete any OTEL CRs.

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

I can do that both here and in the helm repo once we get confirmation.

@Allex1 Allex1 reopened this Nov 1, 2022
@pavolloffay
Copy link
Member

@pavolloffay should create/delete for collectors be dropped from its role? https://github.com/open-telemetry/opentelemetry-operator/blob/main/config/rbac/role.yaml#L150-L151

We can try, maybe some of the upgrade routines might delete the CR but I am not sure.

@pavolloffay
Copy link
Member

@Allex1 can we close this issue?

@Allex1
Copy link
Contributor Author

Allex1 commented Nov 7, 2022

@pavolloffay closing. Thanks

@Allex1 Allex1 closed this as completed Nov 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants