From dcffbef26855d0d07a48c6dbf1f879ea4f586fb0 Mon Sep 17 00:00:00 2001
From: Pavol Loffay <p.loffay@gmail.com>
Date: Fri, 28 Feb 2025 16:02:47 +0100
Subject: [PATCH] TRACING-5064 | RHOSDT (any version), fix RBAC for
 k8sattribute processor

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
---
 modules/otel-forwarding-traces.adoc           | 19 ++++++++++++-------
 .../otel-collector-processors.adoc            |  3 +++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/modules/otel-forwarding-traces.adoc b/modules/otel-forwarding-traces.adoc
index 2dcdd520dd..170136c918 100644
--- a/modules/otel-forwarding-traces.adoc
+++ b/modules/otel-forwarding-traces.adoc
@@ -37,14 +37,19 @@ kind: ClusterRole
 metadata:
   name: otel-collector
 rules:
-  # <1>
-  # <2>
-- apiGroups: ["", "config.openshift.io"]
-  resources: ["pods", "namespaces", "infrastructures", "infrastructures/status"]
-  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["pods", "namespaces",]
+  verbs: ["get", "watch", "list"] # <1>
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get", "watch", "list"] # <2>
+- apiGroups: ["config.openshift.io"]
+  resources: ["infrastructures", "infrastructures/status"]
+  verbs: ["get", "watch", "list"] # <3>
 ----
-<1> The `k8sattributesprocessor` requires permissions for pods and namespaces resources.
-<2> The `resourcedetectionprocessor` requires permissions for infrastructures and status.
+<1> This example uses the Kubernetes Attributes Processor, which requires these permissions for the `pods` and `namespaces` resources.
+<2> Also due to the Kubernetes Attributes Processor, these permissions are required for the `replicasets` resources.
+<3> This example also uses the Resource Detection Processor, which requires these permissions for the `infrastructures` and `status` resources.
 
 . Bind the cluster role to the service account.
 +
diff --git a/observability/otel/otel-collector/otel-collector-processors.adoc b/observability/otel/otel-collector/otel-collector-processors.adoc
index 0cd15cef0e..f044843449 100644
--- a/observability/otel/otel-collector/otel-collector-processors.adoc
+++ b/observability/otel/otel-collector/otel-collector-processors.adoc
@@ -333,6 +333,9 @@ rules:
   - apiGroups: ['']
     resources: ['pods', 'namespaces']
     verbs: ['get', 'watch', 'list']
+  - apiGroups: ['apps']
+    resources: ['replicasets']
+    verbs: ['get', 'watch', 'list']
 # ...
 ----