[collector] kubernetesAttributes preset ClusterRole does not include "nodes"

[lindeskar]

The kubernetesAttributes preset does not include "nodes" in it's ClusterRole, leading to errors when trying to access Node metadata:

User "system:serviceaccount:opentelemetry-collector:otelcol-opentelemetry-collector" cannot list resource "nodes" in API group "" at the cluster scope

Example chart values causing the error:

mode: "daemonset"
image:
  repository: otel/opentelemetry-collector-contrib
config:
  processors:
    k8sattributes:
      extract:
        labels:
          - { tag_name: zone, key: "topology.kubernetes.io/zone", from: node }
presets:
  logsCollection:
    enabled: true
  kubernetesAttributes:
    enabled: true

This addition to values fixes the problem:

clusterRole:
  rules:
    - apiGroups: [""]
      resources: ["nodes"]
      verbs: ["get", "list", "watch"]

Is this by design? I think we could update the preset documentation, or simply add "nodes" to the template:

opentelemetry-helm-charts/charts/opentelemetry-collector/templates/clusterrole.yaml

Lines 18 to 28 in 694c38d

	{{- if .Values.presets.kubernetesAttributes.enabled}}
	- apiGroups: [""]
	resources: ["pods", "namespaces"]
	verbs: ["get", "watch", "list"]
	- apiGroups: ["apps"]
	resources: ["replicasets"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["extensions"]
	resources: ["replicasets"]
	verbs: ["get", "list", "watch"]
	{{- end }}

--

From the k8sattributesprocessor README:

When using k8s.node.uid or extracting metadata from node, the processor needs get, watch and list permissions for nodes resources.

[TylerHelmuth]

@lindeskar you are correct, the preset only sets the RBAC to meet the permission requirements of the k8sattributes processor as the preset defines it. Since you added additional scope (extracting node labels) you must also supply the additional RBAC for that feature.

We do this to ensure the preset configures the minimum permissions necessary. We do not want to give more permissions that the components need as that is a security risk.

[lindeskar]

Thanks. I agree that's a reasonable default.

Then I wish for a comment about this in:

opentelemetry-helm-charts/charts/opentelemetry-collector/values.yaml

Lines 45 to 47 in 694c38d

	# Configures the Kubernetes Processor to add Kubernetes metadata.
	# Adds the k8sattributes processor to all the pipelines
	# and adds the necessary rules to ClusteRole.

and:

opentelemetry-helm-charts/charts/opentelemetry-collector/README.md

Lines 144 to 146 in 694c38d

	### Configuration for Kubernetes Attributes Processor
	The collector can be configured to add Kubernetes metadata, such as pod name and namespace name, as resource attributes to incoming logs, metrics and traces.

Can I create PR for it?

[TylerHelmuth]

Yes please