Unable to run the targetAllocator in namespace mode #3086

alita1991 · 2024-07-01T12:40:02Z

Component(s)

target allocator

Describe the issue you're reporting

Hi,

I'm trying to run the targetAllocator in namespace mode, but I encountered the following errors:

{"level":"error","ts":"2024-07-01T09:59:11Z","logger":"setup.prometheus-cr-watcher","msg":"Failed to create namespace informer in promOperator CRD watcher","error":"missing list/watch permissions on the 'namespaces' resource: missing \"list\" permission on resource \"namespaces\" (group: \"\") for all namespaces: missing \"watch\" permission on resource \"namespaces\" (group: \"\") for all namespaces","stacktrace":"[github.com/open-telemetry/opentelemetry-operator/cmd/otel-allocator/watcher.NewPrometheusCRWatcher\n\t/home/runner/work/opentelemetry-operator/opentelemetry-operator/cmd/otel-allocator/watcher/promOperator.go:99\nmain.main\n\t/home/runner/work/opentelemetry-operator/opentelemetry-operator/cmd/otel-allocator/main.go:119\nruntime.main\n\t/opt/hostedtoolcache/go/1.22.4/x64/src/runtime/proc.go:271](http://github.com/open-telemetry/opentelemetry-operator/cmd/otel-allocator/watcher.NewPrometheusCRWatcher/n/t/home/runner/work/opentelemetry-operator/opentelemetry-operator/cmd/otel-allocator/watcher/promOperator.go:99/nmain.main/n/t/home/runner/work/opentelemetry-operator/opentelemetry-operator/cmd/otel-allocator/main.go:119/nruntime.main/n/t/opt/hostedtoolcache/go/1.22.4/x64/src/runtime/proc.go:271)"}
{"level":"error","ts":"2024-07-01T09:59:14Z","msg":"pkg/mod/[k8s.io/[email protected]/tools/cache/reflector.go:232](http://k8s.io/[email protected]/tools/cache/reflector.go:232): Failed to watch *v1.PodMonitor: failed to list *v1.PodMonitor: [podmonitors.monitoring.coreos.com](http://podmonitors.monitoring.coreos.com/) is forbidden: User \"system:serviceaccount:argocd-openshift:observability-cr-argocd-openshift-sa\" cannot list resource \"podmonitors\" in API group \"[monitoring.coreos.com](http://monitoring.coreos.com/)\" at the cluster scope","stacktrace":"[k8s.io/client-go/tools/cache.DefaultWatchErrorHandler\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:150\nk8s.io/client-go/tools/cache.(*Reflector).Run.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:299\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:226\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:227\nk8s.io/client-go/tools/cache.(*Reflector).Run\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:297\nk8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:55\nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:72](http://k8s.io/client-go/tools/cache.DefaultWatchErrorHandler/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:150/nk8s.io/client-go/tools/cache.(*Reflector).Run.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:299/nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:226/nk8s.io/apimachinery/pkg/util/wait.BackoffUntil/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:227/nk8s.io/client-go/tools/cache.(*Reflector).Run/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:297/nk8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:55/nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:72)"}
{"level":"error","ts":"2024-07-01T12:10:48Z","msg":"pkg/mod/[k8s.io/[email protected]/tools/cache/reflector.go:232](http://k8s.io/[email protected]/tools/cache/reflector.go:232): Failed to watch *v1.ServiceMonitor: failed to list *v1.ServiceMonitor: [servicemonitors.monitoring.coreos.com](http://servicemonitors.monitoring.coreos.com/) is forbidden: User \"system:serviceaccount:argocd-openshift:observability-cr-argocd-openshift-sa\" cannot list resource \"servicemonitors\" in API group \"[monitoring.coreos.com](http://monitoring.coreos.com/)\" at the cluster scope","stacktrace":"[k8s.io/client-go/tools/cache.DefaultWatchErrorHandler\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:150\nk8s.io/client-go/tools/cache.(*Reflector).Run.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:299\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:226\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:227\nk8s.io/client-go/tools/cache.(*Reflector).Run\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:297\nk8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:55\nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1\n\t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:72](http://k8s.io/client-go/tools/cache.DefaultWatchErrorHandler/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:150/nk8s.io/client-go/tools/cache.(*Reflector).Run.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:299/nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:226/nk8s.io/apimachinery/pkg/util/wait.BackoffUntil/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/backoff.go:227/nk8s.io/client-go/tools/cache.(*Reflector).Run/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:297/nk8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:55/nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1/n/t/home/runner/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:72)"}

Config

  targetAllocator:
    allocationStrategy: consistent-hashing
    enabled: true
    filterStrategy: relabel-config
    observability:
      metrics: {}
    podSecurityContext:
      fsGroup: 1000700000
      seccompProfile:
        type: RuntimeDefault
    prometheusCR:
      enabled: true
      podMonitorSelector: {}
      scrapeInterval: 30s
      serviceMonitorSelector: {}

The collector is configured to run with a serviceAccount bound to a Role, limiting access to a namespace only.

The text was updated successfully, but these errors were encountered:

jaronoff97 · 2024-07-01T15:26:24Z

the target allocator already has a servicemonitor and podmonitor namespace selectro, we just need to expose it in the operator here.

RichardChukwu · 2024-10-16T00:12:36Z

Hi @jaronoff97 I'd love to know if this is still being worked on?

jaronoff97 · 2024-10-16T14:53:56Z

@RichardChukwu I don't believe so... cc @alita1991 are you still interested in working on this?

dexter0195 · 2024-12-23T16:46:22Z

I would love to contribute on this 😄 I submitted a PR here, let me know what do you think #3573

It's currently not possible to deploy the TA without cluster-wide permisisons. This change introduces a new env variable to the TA, WATCH_NAMESPACE, which allows for specifying which namespaces to watch. This approach is similar to how the opentelemetry-operator can be scoped to watch a single namespace. This does mean that cluster-wide resource like node metrics (cAdvisor) are no longer accessible, but this is acceptable since we only want the TA to know about targets that exist a specific namespaces. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>

When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a comma-separated list of namespaces for the target allocator to watch. If set to an empty string, it will list all list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty string. - denyNamespaces is a comma-separated list of namespaces for the target allocator to not watch. If set to an empty string, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty string. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>

When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a comma-separated list of namespaces for the target allocator to watch. If set to an empty string, it will list all list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty string. - denyNamespaces is a comma-separated list of namespaces for the target allocator to not watch. If set to an empty string, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty string. A new end to end test was created, e2e-targetallocator/targetallocator-namespace, to test setting allowNamespaces and denyNamespaces. The first part of the test sets up a a collector and TA in a namespace suffixed with '-top-secret'. The TA in this namespace is configured with the allowNamespaces to by this '-top-secret' namespace. Then a check is performed to make sure that it can discover the service monitor that is created by the otel-operator. This setup also doesn't make use of any ClusterRole as it only creates a Role to perform its task of discovering targets in its own namespace. The second part of the test sets up another collector and TA are created in a separate namespace without the '-top-secret' namespace with a ClusterRole. The denyNamespaces is set to the namespace suffixed with the '-top-secret' namespace, and later we check that we can't discover the ServiceMonitor that is in the 'top-secret' namespace. We also check that it can still discover the ServiceMonitor that is in its own namespace. Documentation was added to the otel-allocator README on how to set allowNamespaces to configure the scope that the TA is allowed to interact with. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>

When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a list of namespaces for the target allocator to watch. If set to an empty list, it will list all list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty list. - denyNamespaces is a list of namespaces for the target allocator to not watch. If set to an empty list, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty list. A new end to end test was created, e2e-targetallocator/targetallocator-namespace, to test setting allowNamespaces and denyNamespaces. The first part of the test sets up a a collector and TA in a namespace suffixed with '-top-secret'. The TA in this namespace is configured with the allowNamespaces to by this '-top-secret' namespace. Then a check is performed to make sure that it can discover the service monitor that is created by the otel-operator. This setup also doesn't make use of any ClusterRole as it only creates a Role to perform its task of discovering targets in its own namespace. The second part of the test sets up another collector and TA are created in a separate namespace without the '-top-secret' namespace with a ClusterRole. The denyNamespaces is set to the namespace suffixed with the '-top-secret' namespace, and later we check that we can't discover the ServiceMonitor that is in the 'top-secret' namespace. We also check that it can still discover the ServiceMonitor that is in its own namespace. Documentation was added to the otel-allocator README on how to set allowNamespaces to configure the scope that the TA is allowed to interact with. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>

When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a list of namespaces for the target allocator to watch. If set to an empty list, it will list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty list. - denyNamespaces is a list of namespaces for the target allocator to not watch. If set to an empty list, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty list. Validation is performed at the admission webhook and TA startup to validate that both fields are not set at the same time. A new end to end test was created, e2e-targetallocator/targetallocator-namespace, to test setting allowNamespaces and denyNamespaces. The first part of the test sets up a a collector and TA in a namespace suffixed with '-top-secret'. The TA in this namespace is configured with the allowNamespaces to the '-top-secret' namespace. Then a check is performed to make sure that it can discover the service monitor that is created by the otel-operator. This setup also doesn't make use of any ClusterRole as it only creates a Role to perform its task of discovering targets in its own namespace. The second part of the test sets up another collector and TA in a separate namespace without the '-top-secret' namespace with a ClusterRole. The denyNamespaces is set to the namespace suffixed with the '-top-secret' namespace, and later we check that we can't discover the ServiceMonitor that is in the 'top-secret' namespace. We also check that it can still discover the ServiceMonitor that is in its own namespace. Documentation was added to the otel-allocator README on how to set allowNamespaces to configure the scope that the TA is allowed to interact with. Fixes: open-telemetry#3086 Signed-off-by: Charlie Le <[email protected]>

When the target allocator is configured to watch Prometheus custom resources in the cluster to discover targets, it is currently hard-coded to require a ClusterRole with a policy rule of listing namespaces. This prevents usage in environments where configuring ClusterRoles is not permitted i.e. in namespace-as-a-service setups where only Roles can be created. This change introduces two fields in the prometheusCR specification to allow configuring the namespaces that can be interacted with by the target allocator. - allowNamespaces is a list of namespaces for the target allocator to watch. If set to an empty list, it will list all namespaces in the cluster. This is mutually exclusive with denyNamespaces. Defaults to an empty list. - denyNamespaces is a list of namespaces for the target allocator to not watch. If set to an empty list, it will not exclude any namespaces. This is mutually exclusive with allowNamespaces. Defaults to an empty list. Validation is performed at the admission webhook and TA startup to validate that both fields are not set at the same time. A new end to end test was created, e2e-targetallocator/targetallocator-namespace, to test setting allowNamespaces and denyNamespaces. The first part of the test sets up a a collector and TA in a namespace suffixed with '-top-secret'. The TA in this namespace is configured with the allowNamespaces to the '-top-secret' namespace. Then a check is performed to make sure that it can discover the service monitor that is created by the otel-operator. This setup also doesn't make use of any ClusterRole as it only creates a Role to perform its task of discovering targets in its own namespace. The second part of the test sets up another collector and TA in a separate namespace without the '-top-secret' namespace with a ClusterRole. The denyNamespaces is set to the namespace suffixed with the '-top-secret' namespace, and later we check that we can't discover the ServiceMonitor that is in the 'top-secret' namespace. We also check that it can still discover the ServiceMonitor that is in its own namespace. Documentation was added to the otel-allocator README on how to set allowNamespaces to configure the scope that the TA is allowed to interact with. Fixes: #3086 Signed-off-by: Charlie Le <[email protected]>

alita1991 added the needs triage label Jul 1, 2024

jaronoff97 assigned alita1991 Jul 1, 2024

jaronoff97 added enhancement New feature or request good first issue Good for newcomers area:target-allocator Issues for target-allocator and removed needs triage labels Jul 1, 2024

jaronoff97 mentioned this issue Jul 16, 2024

Unable to run opentelemetry-collector in namespaced mode open-telemetry/opentelemetry-collector#10482

Closed

jaronoff97 added the area:rbac Issues relating to RBAC label Aug 1, 2024

dexter0195 mentioned this issue Dec 23, 2024

feat(TargetAllocator): allow configuration of PrometheusCR namespaceSelectors #3573

Open

swiatekm assigned dexter0195 and unassigned alita1991 Jan 16, 2025

CharlieTLe mentioned this issue Mar 3, 2025

Allow for scoping TA to watch namespace #3763

Merged

swiatekm closed this as completed in #3763 Mar 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to run the targetAllocator in namespace mode #3086

Unable to run the targetAllocator in namespace mode #3086

alita1991 commented Jul 1, 2024 •

edited

Loading

jaronoff97 commented Jul 1, 2024

RichardChukwu commented Oct 16, 2024

jaronoff97 commented Oct 16, 2024

dexter0195 commented Dec 23, 2024

Unable to run the targetAllocator in namespace mode #3086

Unable to run the targetAllocator in namespace mode #3086

Comments

alita1991 commented Jul 1, 2024 • edited Loading

Component(s)

Describe the issue you're reporting

jaronoff97 commented Jul 1, 2024

RichardChukwu commented Oct 16, 2024

jaronoff97 commented Oct 16, 2024

dexter0195 commented Dec 23, 2024

alita1991 commented Jul 1, 2024 •

edited

Loading