observability/opentelemetry-collector/manifests/rbac.yaml

# RBAC for OpenTelemetry Collector and Target Allocator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: otel-collector
  namespace: opentelemetry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: otel-collector
rules:
  # For k8sattributes processor
  - apiGroups: [""]
    resources: ["pods", "namespaces", "nodes", "endpoints", "services"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["apps"]
    resources: ["replicasets", "deployments", "statefulsets", "daemonsets"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "watch", "list"]
  # For Target Allocator - ServiceMonitor/PodMonitor discovery
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["servicemonitors", "podmonitors"]
    verbs: ["get", "watch", "list"]
  # For node metrics
  - apiGroups: [""]
    resources: ["nodes/metrics", "nodes/stats", "nodes/proxy"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: otel-collector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: otel-collector
subjects:
  - kind: ServiceAccount
    name: otel-collector
    namespace: opentelemetry
---
# Target Allocator ServiceAccount and RBAC
apiVersion: v1
kind: ServiceAccount
metadata:
  name: otel-collector-targetallocator
  namespace: opentelemetry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: otel-targetallocator
rules:
  # Core resources for service discovery
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
    verbs: ["get", "watch", "list"]
  # Secrets for TLS certificates referenced by ServiceMonitors
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs: ["get", "watch", "list"]
  # Events for status reporting
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "watch", "list"]
  # Prometheus CRs
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["servicemonitors", "podmonitors", "probes", "scrapeconfigs"]
    verbs: ["get", "watch", "list"]
  # For allocator coordination
  - apiGroups: ["opentelemetry.io"]
    resources: ["opentelemetrycollectors"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: otel-targetallocator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: otel-targetallocator
subjects:
  - kind: ServiceAccount
    name: otel-collector-targetallocator
    namespace: opentelemetry