From f1dfe99079adf7b9328a2c5dac8e2ebbc6d0edad Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 12:31:18 +0200 Subject: [PATCH 01/12] chore(instrumentor): add role and rolebinding --- cli/cmd/resources/instrumentor.go | 87 ++++++++++++++++++++++++------- 1 file changed, 67 insertions(+), 20 deletions(-) diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index e2e972306..ff91b691b 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -23,12 +23,19 @@ import ( ) const ( - InstrumentorServiceName = "instrumentor" - InstrumentorDeploymentName = "odigos-instrumentor" - InstrumentorAppLabelValue = "odigos-instrumentor" - InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" - InstrumentorWebhookVolumeName = "webhook-cert" + InstrumentorOtelServiceName = "instrumentor" + InstrumentorDeploymentName = "odigos-instrumentor" + InstrumentorAppLabelValue = InstrumentorDeploymentName + InstrumentorServiceName = InstrumentorDeploymentName + InstrumentorServiceAccountName = InstrumentorDeploymentName + InstrumentorRoleName = InstrumentorDeploymentName + InstrumentorRoleBindingName = InstrumentorDeploymentName + InstrumentorClusterRoleName = InstrumentorDeploymentName + InstrumentorClusterRoleBinding = InstrumentorDeploymentName + InstrumentorCertificateName = InstrumentorDeploymentName + InstrumentorContainerName = "manager" + InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookVolumeName = "webhook-cert" ) func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { @@ -38,7 +45,7 @@ func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: InstrumentorDeploymentName, + Name: InstrumentorServiceAccountName, Namespace: ns, }, } @@ -57,7 +64,7 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, }, }, RoleRef: rbacv1.RoleRef{ @@ -68,6 +75,44 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { } } +func NewInstrumentorRole(ns string) *rbacv1.Role { + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + Kind: "Role", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleName, + Namespace: ns, + }, + Rules: []rbacv1.PolicyRule{}, + } +} + +func NewInstrumentorRoleBinding(ns string) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + Kind: "RoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleBindingName, + Namespace: ns, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: InstrumentorServiceAccountName, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: InstrumentorRoleName, + }, + } +} + func NewInstrumentorClusterRole() *rbacv1.ClusterRole { return &rbacv1.ClusterRole{ TypeMeta: metav1.TypeMeta{ @@ -75,7 +120,7 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, Rules: []rbacv1.PolicyRule{ { @@ -204,19 +249,19 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleBinding, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, Namespace: ns, }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, } } @@ -294,7 +339,7 @@ func NewInstrumentorService(ns string) *corev1.Service { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, }, Spec: corev1.ServiceSpec{ @@ -333,7 +378,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis Name: "pod-mutating-webhook.odigos.io", ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, Path: ptrString("/mutate--v1-pod"), Port: intPtr(9443), @@ -425,7 +470,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, APIVersion: "apps/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorDeploymentName, Namespace: ns, Labels: map[string]string{ "app.kubernetes.io/name": InstrumentorAppLabelValue, @@ -459,7 +504,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, Env: []corev1.EnvVar{ { Name: "OTEL_SERVICE_NAME", - Value: InstrumentorServiceName, + Value: InstrumentorOtelServiceName, }, { Name: "CURRENT_NS", @@ -531,7 +576,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, }, }, TerminationGracePeriodSeconds: ptrint64(10), - ServiceAccountName: "odigos-instrumentor", + ServiceAccountName: InstrumentorServiceAccountName, SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptrbool(true), }, @@ -591,6 +636,8 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er resources := []kube.Object{ NewInstrumentorServiceAccount(a.ns), NewInstrumentorLeaderElectionRoleBinding(a.ns), + NewInstrumentorRole(a.ns), + NewInstrumentorRoleBinding(a.ns), NewInstrumentorClusterRole(), NewInstrumentorClusterRoleBinding(a.ns), NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage), @@ -604,14 +651,14 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er }, resources...) } else { - ca, err := crypto.GenCA("odigos-instrumentor", 365) + ca, err := crypto.GenCA(InstrumentorCertificateName, 365) if err != nil { return fmt.Errorf("failed to generate CA: %w", err) } altNames := []string{ - fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns), - fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns), + fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns), + fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns), } cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca) From 9a2131638d8e00de6fdb554a1fc2b677725c14db Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 13:14:33 +0200 Subject: [PATCH 02/12] chore(intrumentor): reduce cluster role permissions --- cli/cmd/resources/instrumentor.go | 159 +++++++++++------------------- instrumentor/main.go | 25 ++++- 2 files changed, 78 insertions(+), 106 deletions(-) diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index ff91b691b..5b2703dbe 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -23,19 +23,20 @@ import ( ) const ( - InstrumentorOtelServiceName = "instrumentor" - InstrumentorDeploymentName = "odigos-instrumentor" - InstrumentorAppLabelValue = InstrumentorDeploymentName - InstrumentorServiceName = InstrumentorDeploymentName - InstrumentorServiceAccountName = InstrumentorDeploymentName - InstrumentorRoleName = InstrumentorDeploymentName - InstrumentorRoleBindingName = InstrumentorDeploymentName - InstrumentorClusterRoleName = InstrumentorDeploymentName - InstrumentorClusterRoleBinding = InstrumentorDeploymentName - InstrumentorCertificateName = InstrumentorDeploymentName - InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" - InstrumentorWebhookVolumeName = "webhook-cert" + InstrumentorOtelServiceName = "instrumentor" + InstrumentorDeploymentName = "odigos-instrumentor" + InstrumentorAppLabelValue = InstrumentorDeploymentName + InstrumentorServiceName = InstrumentorDeploymentName + InstrumentorServiceAccountName = InstrumentorDeploymentName + InstrumentorRoleName = InstrumentorDeploymentName + InstrumentorRoleBindingName = InstrumentorDeploymentName + InstrumentorClusterRoleName = InstrumentorDeploymentName + InstrumentorClusterRoleBinding = InstrumentorDeploymentName + InstrumentorCertificateName = InstrumentorDeploymentName + InstrumentorMutatingWebhookName = "mutating-webhook-configuration" + InstrumentorContainerName = "manager" + InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookVolumeName = "webhook-cert" ) func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { @@ -85,7 +86,34 @@ func NewInstrumentorRole(ns string) *rbacv1.Role { Name: InstrumentorRoleName, Namespace: ns, }, - Rules: []rbacv1.PolicyRule{}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + ResourceNames: []string{"odigos-config"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups/status"}, + Verbs: []string{"get", "list", "watch"}, + }, + { // Needed for odigos own telemetry events reporting. Consider moving to scheduler + APIGroups: []string{"odigos.io"}, + Resources: []string{"destinations"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"instrumentationrules"}, + Verbs: []string{"get", "list", "watch"}, + }, + }, } } @@ -123,121 +151,46 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole { Name: InstrumentorClusterRoleName, }, Rules: []rbacv1.PolicyRule{ - { + { // Used in events reporting for own telemetry APIGroups: []string{""}, Resources: []string{"nodes"}, Verbs: []string{"list", "watch", "get"}, }, - { + { // Read instrumentation labels from namespaces APIGroups: []string{""}, Resources: []string{"namespaces"}, Verbs: []string{"list", "watch", "get"}, }, - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { + { // Read instrumentation labels from daemonsets APIGroups: []string{"apps"}, Resources: []string{"daemonsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/status"}, - Verbs: []string{"get"}, + Verbs: []string{"get", "list", "watch"}, }, - { + { // Read instrumentation labels from deployments APIGroups: []string{"apps"}, Resources: []string{"deployments"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"get", "list", "watch"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/status"}, - Verbs: []string{"get"}, - }, - { + { // Read instrumentation labels from statefulsets APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/status"}, - Verbs: []string{"get"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/status"}, - Verbs: []string{"get", "patch", "update"}, + Verbs: []string{"get", "list", "watch"}, }, - { + { // React to runtime detection in user workloads in all namespaces APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentedapplications/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"delete", "get", "list", "watch"}, }, - { + { // Update the status of the instrumented applications after device injection APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications/status"}, Verbs: []string{"get", "patch", "update"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/status"}, - Verbs: []string{"get", "patch", "update"}, - }, { APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentationconfigs"}, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentationrules"}, - Verbs: []string{"get", "list", "watch"}, - }, }, } } @@ -364,10 +317,10 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis APIVersion: "admissionregistration.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "mutating-webhook-configuration", + Name: InstrumentorMutatingWebhookName, Labels: map[string]string{ "app.kubernetes.io/name": "pod-mutating-webhook", - "app.kubernetes.io/instance": "mutating-webhook-configuration", + "app.kubernetes.io/instance": InstrumentorMutatingWebhookName, "app.kubernetes.io/component": "webhook", "app.kubernetes.io/created-by": "instrumentor", "app.kubernetes.io/part-of": "odigos", @@ -404,7 +357,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis TimeoutSeconds: intPtr(10), ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ - "odigos.io/inject-instrumentation": "true", + consts.OdigosInjectInstrumentationLabel: "true", }, }, AdmissionReviewVersions: []string{ diff --git a/instrumentor/main.go b/instrumentor/main.go index beb2b6855..db1db885b 100644 --- a/instrumentor/main.go +++ b/instrumentor/main.go @@ -20,6 +20,7 @@ import ( "flag" "os" + "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/k8sutils/pkg/env" "github.com/odigos-io/odigos/instrumentor/controllers/instrumentationconfig" @@ -38,7 +39,7 @@ import ( "github.com/go-logr/zapr" bridge "github.com/odigos-io/opentelemetry-zap-bridge" - v1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" + odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" "github.com/odigos-io/odigos/common" "github.com/odigos-io/odigos/instrumentor/controllers/deleteinstrumentedapplication" @@ -48,6 +49,7 @@ import ( // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. + "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -69,7 +71,7 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - utilruntime.Must(v1.AddToScheme(scheme)) + utilruntime.Must(odigosv1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -97,6 +99,11 @@ func main() { logger := zapr.NewLogger(zapLogger) ctrl.SetLogger(logger) + odigosNs := env.GetCurrentNamespace() + nsSelector := client.InNamespace(odigosNs).AsSelector() + odigosConfigNameSelector := fields.OneTermEqualSelector("metadata.name", consts.OdigosConfigurationName) + odigosConfigSelector := fields.AndSelectors(nsSelector, odigosConfigNameSelector) + mgrOptions := ctrl.Options{ Scheme: scheme, Metrics: metricsserver.Options{ @@ -111,7 +118,19 @@ func main() { // Currently, instrumentor only need the labels and the .spec.template.spec field of the workloads. ByObject: map[client.Object]cache.ByObject{ &corev1.ConfigMap{}: { - Field: client.InNamespace(env.GetCurrentNamespace()).AsSelector(), + Field: odigosConfigSelector, + }, + &corev1.ConfigMap{}: { + Field: nsSelector, + }, + &odigosv1.CollectorsGroup{}: { + Field: nsSelector, + }, + &odigosv1.Destination{}: { + Field: nsSelector, + }, + &odigosv1.InstrumentationRule{}: { + Field: nsSelector, }, }, }, From 73811c2205ae38c1eb05ee12cb9617e207089eb1 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 13:20:30 +0200 Subject: [PATCH 03/12] revert(instrumentor): update and patch for workloads --- cli/cmd/resources/instrumentor.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index 5b2703dbe..62eeb1200 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -161,20 +161,20 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole { Resources: []string{"namespaces"}, Verbs: []string{"list", "watch", "get"}, }, - { // Read instrumentation labels from daemonsets + { // Read instrumentation labels from daemonsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"daemonsets"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { // Read instrumentation labels from deployments + { // Read instrumentation labels from deployments and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"deployments"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { // Read instrumentation labels from statefulsets + { // Read instrumentation labels from statefulsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, { // React to runtime detection in user workloads in all namespaces APIGroups: []string{"odigos.io"}, From 2d5c26394c13825899c600290bd61f4d377aa331 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 14:00:20 +0200 Subject: [PATCH 04/12] chore(instrumentor): updated rbac permissions in helm template --- .../templates/instrumentor/clusterrole.yaml | 79 ++++++------------- helm/odigos/templates/instrumentor/role.yaml | 48 +++++++++++ .../templates/instrumentor/rolebinding.yaml | 12 +++ 3 files changed, 86 insertions(+), 53 deletions(-) create mode 100644 helm/odigos/templates/instrumentor/role.yaml create mode 100644 helm/odigos/templates/instrumentor/rolebinding.yaml diff --git a/helm/odigos/templates/instrumentor/clusterrole.yaml b/helm/odigos/templates/instrumentor/clusterrole.yaml index 1c558fcf8..d1d479f72 100644 --- a/helm/odigos/templates/instrumentor/clusterrole.yaml +++ b/helm/odigos/templates/instrumentor/clusterrole.yaml @@ -6,102 +6,75 @@ rules: - apiGroups: - "" resources: - - namespaces - nodes verbs: - - get - list - watch + - get - apiGroups: - - apps + - "" resources: - - daemonsets - - deployments - - statefulsets + - namespaces verbs: - - create - - get - list - - patch - - update - watch + - get - apiGroups: - - "" + - apps resources: - - configmaps + - daemonsets verbs: - - create - - delete - get - list - - patch - - update - watch + - update + - patch - apiGroups: - apps resources: - - daemonsets/finalizers - - deployments/finalizers - - statefulsets/finalizers + - deployments verbs: + - get + - list + - watch - update + - patch - apiGroups: - apps resources: - - daemonsets/status - - deployments/status - - statefulsets/status + - statefulsets verbs: - get + - list + - watch + - update + - patch - apiGroups: - odigos.io resources: - - collectorsgroups - instrumentedapplications - - destinations verbs: - - create - delete - get - list - - patch - - update - watch - apiGroups: - odigos.io resources: - - collectorsgroups/finalizers - - instrumentedapplications/finalizers - - destinations/finalizers + - instrumentedapplications/status verbs: + - get + - patch - update - apiGroups: - odigos.io resources: - - collectorsgroups/status - - instrumentedapplications/status - - destinations/status + - instrumentationconfigs verbs: + - create + - delete - get + - list - patch - update - - apiGroups: - - odigos.io - resources: - - instrumentationconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - odigos.io - resources: - - instrumentationrules - verbs: - - get - - list - - watch + - watch diff --git a/helm/odigos/templates/instrumentor/role.yaml b/helm/odigos/templates/instrumentor/role.yaml new file mode 100644 index 000000000..05e6908a6 --- /dev/null +++ b/helm/odigos/templates/instrumentor/role.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resourceNames: + - odigos-config + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups/status + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - destinations + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - instrumentationrules + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/helm/odigos/templates/instrumentor/rolebinding.yaml b/helm/odigos/templates/instrumentor/rolebinding.yaml new file mode 100644 index 000000000..7d3bc38ab --- /dev/null +++ b/helm/odigos/templates/instrumentor/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: odigos-instrumentor +subjects: +- kind: ServiceAccount + name: odigos-instrumentor From 2826fc4e0e6fb0c1937e2b92e49cbf55c37fe2b4 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 14:04:02 +0200 Subject: [PATCH 05/12] chore: better var name --- cli/cmd/resources/instrumentor.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index 62eeb1200..89e3c7d8e 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -23,20 +23,20 @@ import ( ) const ( - InstrumentorOtelServiceName = "instrumentor" - InstrumentorDeploymentName = "odigos-instrumentor" - InstrumentorAppLabelValue = InstrumentorDeploymentName - InstrumentorServiceName = InstrumentorDeploymentName - InstrumentorServiceAccountName = InstrumentorDeploymentName - InstrumentorRoleName = InstrumentorDeploymentName - InstrumentorRoleBindingName = InstrumentorDeploymentName - InstrumentorClusterRoleName = InstrumentorDeploymentName - InstrumentorClusterRoleBinding = InstrumentorDeploymentName - InstrumentorCertificateName = InstrumentorDeploymentName - InstrumentorMutatingWebhookName = "mutating-webhook-configuration" - InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" - InstrumentorWebhookVolumeName = "webhook-cert" + InstrumentorOtelServiceName = "instrumentor" + InstrumentorDeploymentName = "odigos-instrumentor" + InstrumentorAppLabelValue = InstrumentorDeploymentName + InstrumentorServiceName = InstrumentorDeploymentName + InstrumentorServiceAccountName = InstrumentorDeploymentName + InstrumentorRoleName = InstrumentorDeploymentName + InstrumentorRoleBindingName = InstrumentorDeploymentName + InstrumentorClusterRoleName = InstrumentorDeploymentName + InstrumentorClusterRoleBindingName = InstrumentorDeploymentName + InstrumentorCertificateName = InstrumentorDeploymentName + InstrumentorMutatingWebhookName = "mutating-webhook-configuration" + InstrumentorContainerName = "manager" + InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookVolumeName = "webhook-cert" ) func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { @@ -202,7 +202,7 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: InstrumentorClusterRoleBinding, + Name: InstrumentorClusterRoleBindingName, }, Subjects: []rbacv1.Subject{ { From d5e6befe46bd295c3a8a2bc64806c3c2974f14d9 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Fri, 20 Dec 2024 15:02:51 +0200 Subject: [PATCH 06/12] fix: duplicate cache keys --- instrumentor/main.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/instrumentor/main.go b/instrumentor/main.go index db1db885b..131c9d2f2 100644 --- a/instrumentor/main.go +++ b/instrumentor/main.go @@ -120,9 +120,6 @@ func main() { &corev1.ConfigMap{}: { Field: odigosConfigSelector, }, - &corev1.ConfigMap{}: { - Field: nsSelector, - }, &odigosv1.CollectorsGroup{}: { Field: nsSelector, }, From cb3b34e774de840d45032fd80da5b7d87a1e77f7 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 10:18:23 +0200 Subject: [PATCH 07/12] chore(odiglet): remove unused namespace and service --- cli/cmd/resources/odiglet.go | 11 ----------- helm/odigos/templates/odiglet/clusterrole.yaml | 2 -- odiglet/pkg/kube/manager.go | 5 ----- 3 files changed, 18 deletions(-) diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index ea054386d..d1f2b3d13 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -253,17 +253,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { "instrumentationinstances/status", }, }, - { - Verbs: []string{ - "get", - "list", - "watch", - }, - APIGroups: []string{""}, - Resources: []string{ - "namespaces", - }, - }, { Verbs: []string{ "get", diff --git a/helm/odigos/templates/odiglet/clusterrole.yaml b/helm/odigos/templates/odiglet/clusterrole.yaml index 9cbb2d109..62e8ae3ec 100644 --- a/helm/odigos/templates/odiglet/clusterrole.yaml +++ b/helm/odigos/templates/odiglet/clusterrole.yaml @@ -7,10 +7,8 @@ rules: - "" resources: - configmaps - - namespaces - nodes - pods - - services verbs: - get - list diff --git a/odiglet/pkg/kube/manager.go b/odiglet/pkg/kube/manager.go index 3b1b911a9..b090dc1e1 100644 --- a/odiglet/pkg/kube/manager.go +++ b/odiglet/pkg/kube/manager.go @@ -1,9 +1,7 @@ package kube import ( - "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/instrumentation" - "k8s.io/apimachinery/pkg/labels" "github.com/odigos-io/odigos/odiglet/pkg/ebpf" "github.com/odigos-io/odigos/odiglet/pkg/env" @@ -49,9 +47,6 @@ func CreateManager() (ctrl.Manager, error) { // only watch and list pods in the current node Field: fields.OneTermEqualSelector("spec.nodeName", env.Current.NodeName), }, - &corev1.Namespace{}: { - Label: labels.Set{consts.OdigosInstrumentationLabel: consts.InstrumentationEnabled}.AsSelector(), - }, }, }, Metrics: metricsserver.Options{ From b00cbc07d9d425cf7a67cd5775db772b718a8d0e Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 10:19:48 +0200 Subject: [PATCH 08/12] chore(odiglet): remove deprecated odigosconfiguration permissions --- cli/cmd/resources/odiglet.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index d1f2b3d13..3f7a481f8 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -62,7 +62,7 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { "watch", }, APIGroups: []string{"odigos.io"}, - Resources: []string{"odigosconfigurations", "collectorsgroups", "collectorsgroups/status"}, + Resources: []string{"collectorsgroups", "collectorsgroups/status"}, }, { Verbs: []string{ From 9a17e6322472ac947664f27a43ee9b1b87b5f822 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 10:35:46 +0200 Subject: [PATCH 09/12] chore(odiglet): add rbac role and easy cleanups --- cli/cmd/resources/odiglet.go | 105 +++++++++++++++++++++-------------- odiglet/pkg/env/current.go | 17 ++++-- odiglet/pkg/kube/manager.go | 7 +++ 3 files changed, 82 insertions(+), 47 deletions(-) diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index 3f7a481f8..4c65e97e8 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -24,12 +24,16 @@ import ( ) const ( - OdigletServiceName = "odiglet" - OdigletDaemonSetName = "odiglet" - OdigletAppLabelValue = "odiglet" - OdigletContainerName = "odiglet" - OdigletImageName = "keyval/odigos-odiglet" - OdigletEnterpriseImageName = "keyval/odigos-enterprise-odiglet" + OdigletDaemonSetName = "odiglet" + OdigletAppLabelValue = OdigletDaemonSetName + OdigletServiceAccountName = OdigletDaemonSetName + OdigletRoleName = OdigletDaemonSetName + OdigletRoleBindingName = OdigletDaemonSetName + OdigletClusterRoleName = OdigletDaemonSetName + OdigletClusterRoleBindingName = OdigletDaemonSetName + OdigletContainerName = "odiglet" + OdigletImageName = "keyval/odigos-odiglet" + OdigletEnterpriseImageName = "keyval/odigos-enterprise-odiglet" ) func NewOdigletServiceAccount(ns string) *corev1.ServiceAccount { @@ -39,20 +43,21 @@ func NewOdigletServiceAccount(ns string) *corev1.ServiceAccount { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odiglet", + Name: OdigletServiceAccountName, Namespace: ns, }, } } -func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { - clusterrole := &rbacv1.ClusterRole{ +func NewOdigletRole(ns string) *rbacv1.Role { + return &rbacv1.Role{ TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRole", + Kind: "Role", APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odiglet", + Name: OdigletRoleName, + Namespace: ns, }, Rules: []rbacv1.PolicyRule{ { @@ -64,6 +69,45 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { APIGroups: []string{"odigos.io"}, Resources: []string{"collectorsgroups", "collectorsgroups/status"}, }, + }, + } +} + +func NewOdigletRoleBinding(ns string) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + Kind: "RoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: OdigletRoleBindingName, + Namespace: ns, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: OdigletServiceAccountName, + Namespace: ns, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: OdigletRoleName, + }, + } +} + +func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { + clusterrole := &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{ + Kind: "ClusterRole", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: OdigletClusterRoleName, + }, + Rules: []rbacv1.PolicyRule{ { Verbs: []string{ "get", @@ -122,15 +166,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { "deployments/status", }, }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "deployments/finalizers", - }, - }, { Verbs: []string{ "get", @@ -149,15 +184,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { "statefulsets/status", }, }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "statefulsets/finalizers", - }, - }, { Verbs: []string{ "get", @@ -176,15 +202,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { "daemonsets/status", }, }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "daemonsets/finalizers", - }, - }, { Verbs: []string{ "get", @@ -308,19 +325,19 @@ func NewOdigletClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odiglet", + Name: OdigletClusterRoleBindingName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odiglet", + Name: OdigletServiceAccountName, Namespace: ns, }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: "odiglet", + Name: OdigletClusterRoleName, }, } } @@ -338,7 +355,7 @@ func NewSCCRoleBinding(ns string) *rbacv1.RoleBinding { Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odiglet", + Name: OdigletServiceAccountName, Namespace: ns, }, { @@ -630,7 +647,7 @@ func NewOdigletDaemonSet(ns string, version string, imagePrefix string, imageNam }, }, DNSPolicy: "ClusterFirstWithHostNet", - ServiceAccountName: "odiglet", + ServiceAccountName: OdigletServiceAccountName, HostNetwork: true, HostPID: true, PriorityClassName: "system-node-critical", @@ -712,6 +729,8 @@ func (a *odigletResourceManager) InstallFromScratch(ctx context.Context) error { resources := []kube.Object{ NewOdigletServiceAccount(a.ns), + NewOdigletRole(a.ns), + NewOdigletRoleBinding(a.ns), NewOdigletClusterRole(a.config.Psp), NewOdigletClusterRoleBinding(a.ns), } diff --git a/odiglet/pkg/env/current.go b/odiglet/pkg/env/current.go index 06a819bb4..8f8dc2be2 100644 --- a/odiglet/pkg/env/current.go +++ b/odiglet/pkg/env/current.go @@ -4,6 +4,8 @@ import ( "fmt" "os" "runtime" + + "github.com/odigos-io/odigos/common/consts" ) const ( @@ -12,8 +14,9 @@ const ( ) type Environment struct { - NodeName string - NodeIP string + NodeName string + NodeIP string + Namespace string } var Current Environment @@ -29,9 +32,15 @@ func Load() error { return fmt.Errorf("env var %s is not set", NodeIPEnvVar) } + ns, ok := os.LookupEnv(consts.CurrentNamespaceEnvVar) + if !ok { + return fmt.Errorf("env var %s is not set", consts.CurrentNamespaceEnvVar) + } + Current = Environment{ - NodeName: nn, - NodeIP: ni, + NodeName: nn, + NodeIP: ni, + Namespace: ns, } return nil } diff --git a/odiglet/pkg/kube/manager.go b/odiglet/pkg/kube/manager.go index b090dc1e1..d552b12a1 100644 --- a/odiglet/pkg/kube/manager.go +++ b/odiglet/pkg/kube/manager.go @@ -36,6 +36,10 @@ func init() { func CreateManager() (ctrl.Manager, error) { log.Logger.V(0).Info("Starting reconcileres for runtime details") ctrl.SetLogger(log.Logger) + + odigosNs := env.Current.Namespace + nsSelector := client.InNamespace(odigosNs).AsSelector() + return manager.New(config.GetConfigOrDie(), manager.Options{ Scheme: scheme, Cache: cache.Options{ @@ -47,6 +51,9 @@ func CreateManager() (ctrl.Manager, error) { // only watch and list pods in the current node Field: fields.OneTermEqualSelector("spec.nodeName", env.Current.NodeName), }, + &odigosv1.CollectorsGroup{}: { // Used by OpAMP server to figure out which signals are collected + Field: nsSelector, + }, }, }, Metrics: metricsserver.Options{ From 1bd7144fc7dcbe2a764672affc6d629508d4d98f Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 10:39:12 +0200 Subject: [PATCH 10/12] chore(odiglet): remove usused cm permissions --- cli/cmd/resources/odiglet.go | 9 --------- 1 file changed, 9 deletions(-) diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index 4c65e97e8..af2a56328 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -108,15 +108,6 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { Name: OdigletClusterRoleName, }, Rules: []rbacv1.PolicyRule{ - { - Verbs: []string{ - "get", - "list", - "watch", - }, - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - }, { Verbs: []string{ "get", From 75a1fc9338339b166bc7e0f96898332dc03d320a Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 10:48:21 +0200 Subject: [PATCH 11/12] chore: remove watch rbac permission for workloads --- cli/cmd/resources/odiglet.go | 52 +++--------------------------------- 1 file changed, 3 insertions(+), 49 deletions(-) diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index af2a56328..5b2423545 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -116,16 +116,7 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { }, APIGroups: []string{""}, Resources: []string{ - "pods", - }, - }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{""}, - Resources: []string{ - "pods/status", + "pods", "pods/status", }, }, { @@ -143,46 +134,9 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { Verbs: []string{ "get", "list", - "watch", - }, - APIGroups: []string{"apps"}, - Resources: []string{"deployments"}, - }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "deployments/status", - }, - }, - { - Verbs: []string{ - "get", - "list", - "watch", - }, - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets"}, - }, - { - Verbs: []string{ - "get", - }, - APIGroups: []string{"apps"}, - Resources: []string{ - "statefulsets/status", - }, - }, - { - Verbs: []string{ - "get", - "list", - "watch", }, APIGroups: []string{"apps"}, - Resources: []string{"daemonsets"}, + Resources: []string{"deployments", "daemonsets", "statefulsets"}, }, { Verbs: []string{ @@ -190,7 +144,7 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { }, APIGroups: []string{"apps"}, Resources: []string{ - "daemonsets/status", + "deployments/status", "daemonsets/status", "statefulsets/status", }, }, { From edad5752b1e01c53af434f005bffc9be939c7a25 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sun, 22 Dec 2024 01:08:10 +0200 Subject: [PATCH 12/12] chore: sync helm --- cli/cmd/resources/odiglet.go | 12 +++ .../odigos/templates/odiglet/clusterrole.yaml | 74 +++++++------------ helm/odigos/templates/odiglet/role.yaml | 25 +++++++ .../odigos/templates/odiglet/rolebinding.yaml | 14 ++++ odiglet/pkg/kube/manager.go | 10 ++- 5 files changed, 84 insertions(+), 51 deletions(-) create mode 100644 helm/odigos/templates/odiglet/role.yaml diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go index 5b2423545..14c8639b8 100644 --- a/cli/cmd/resources/odiglet.go +++ b/cli/cmd/resources/odiglet.go @@ -8,6 +8,7 @@ import ( "github.com/odigos-io/odigos/cli/pkg/autodetect" cmdcontext "github.com/odigos-io/odigos/cli/pkg/cmd_context" + "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/cli/cmd/resources/odigospro" "github.com/odigos-io/odigos/cli/cmd/resources/resourcemanager" @@ -69,6 +70,16 @@ func NewOdigletRole(ns string) *rbacv1.Role { APIGroups: []string{"odigos.io"}, Resources: []string{"collectorsgroups", "collectorsgroups/status"}, }, + { + Verbs: []string{ + "get", + "list", + "watch", + }, + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + ResourceNames: []string{consts.OdigosConfigurationName}, + }, }, } } @@ -134,6 +145,7 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole { Verbs: []string{ "get", "list", + "watch", }, APIGroups: []string{"apps"}, Resources: []string{"deployments", "daemonsets", "statefulsets"}, diff --git a/helm/odigos/templates/odiglet/clusterrole.yaml b/helm/odigos/templates/odiglet/clusterrole.yaml index 62e8ae3ec..c632517d9 100644 --- a/helm/odigos/templates/odiglet/clusterrole.yaml +++ b/helm/odigos/templates/odiglet/clusterrole.yaml @@ -6,9 +6,8 @@ rules: - apiGroups: - "" resources: - - configmaps - - nodes - pods + - pods/status verbs: - get - list @@ -16,14 +15,16 @@ rules: - apiGroups: - "" resources: - - pods/status + - nodes verbs: - get + - list + - watch - apiGroups: - apps resources: - - daemonsets - deployments + - daemonsets - statefulsets verbs: - get @@ -32,37 +33,11 @@ rules: - apiGroups: - apps resources: - - daemonsets/finalizers - - deployments/finalizers - - statefulsets/finalizers - verbs: - - update - - apiGroups: - - apps - resources: - - daemonsets/status - deployments/status + - daemonsets/status - statefulsets/status verbs: - get - - apiGroups: - - odigos.io - resources: - - collectorsgroups - - collectorsgroups/status - verbs: - - get - - list - - watch - - apiGroups: - - odigos.io - resources: - - instrumentationconfigs/status - verbs: - - get - - list - - watch - - patch - apiGroups: - apps resources: @@ -72,36 +47,38 @@ rules: - apiGroups: - odigos.io resources: - - instrumentationconfigs + - instrumentedapplications verbs: + - create - get - list - - watch - patch - update + - watch - apiGroups: - odigos.io resources: - - instrumentedapplications + - instrumentedapplications/status verbs: - - create - get - - list - patch - update - - watch - apiGroups: - odigos.io resources: - - odigosconfigurations + - instrumentationinstances verbs: + - create - get - list + - patch + - update - watch + - delete - apiGroups: - odigos.io resources: - - instrumentedapplications/status + - instrumentationinstances/status verbs: - get - patch @@ -109,30 +86,29 @@ rules: - apiGroups: - odigos.io resources: - - instrumentationinstances + - instrumentationconfigs verbs: - - create - get - list + - watch - patch - update - - watch - - delete - apiGroups: - odigos.io resources: - - instrumentationinstances/status + - instrumentationconfigs/status verbs: - get + - list + - watch - patch - - update {{ if .Values.psp.enabled }} - apiGroups: - - policy + - policy resourceNames: - - privileged + - privileged resources: - - podsecuritypolicies + - podsecuritypolicies verbs: - - use + - use {{ end }} diff --git a/helm/odigos/templates/odiglet/role.yaml b/helm/odigos/templates/odiglet/role.yaml new file mode 100644 index 000000000..358a0aa47 --- /dev/null +++ b/helm/odigos/templates/odiglet/role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: odiglet + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - odigos.io + resources: + - collectorsgroups + - collectorsgroups/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resourceNames: + - odigos-config + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/helm/odigos/templates/odiglet/rolebinding.yaml b/helm/odigos/templates/odiglet/rolebinding.yaml index 908f085c4..b18bd7168 100644 --- a/helm/odigos/templates/odiglet/rolebinding.yaml +++ b/helm/odigos/templates/odiglet/rolebinding.yaml @@ -16,3 +16,17 @@ subjects: name: odigos-data-collection namespace: {{ .Release.Namespace }} {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: odiglet + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: odiglet +subjects: + - kind: ServiceAccount + name: odiglet + namespace: {{ .Release.Namespace }} diff --git a/odiglet/pkg/kube/manager.go b/odiglet/pkg/kube/manager.go index d552b12a1..22a9e146a 100644 --- a/odiglet/pkg/kube/manager.go +++ b/odiglet/pkg/kube/manager.go @@ -1,6 +1,7 @@ package kube import ( + "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/instrumentation" "github.com/odigos-io/odigos/odiglet/pkg/ebpf" @@ -39,6 +40,9 @@ func CreateManager() (ctrl.Manager, error) { odigosNs := env.Current.Namespace nsSelector := client.InNamespace(odigosNs).AsSelector() + nameSelector := fields.OneTermEqualSelector("metadata.name", consts.OdigosConfigurationName) + odigosConfigSelector := fields.AndSelectors(nsSelector, nameSelector) + currentNodeSelector := fields.OneTermEqualSelector("spec.nodeName", env.Current.NodeName) return manager.New(config.GetConfigOrDie(), manager.Options{ Scheme: scheme, @@ -47,9 +51,11 @@ func CreateManager() (ctrl.Manager, error) { // running `kubectl get .... --show-managed-fields` will show the managed fields. DefaultTransform: cache.TransformStripManagedFields(), ByObject: map[client.Object]cache.ByObject{ + &corev1.ConfigMap{}: { + Field: odigosConfigSelector, + }, &corev1.Pod{}: { - // only watch and list pods in the current node - Field: fields.OneTermEqualSelector("spec.nodeName", env.Current.NodeName), + Field: currentNodeSelector, }, &odigosv1.CollectorsGroup{}: { // Used by OpAMP server to figure out which signals are collected Field: nsSelector,