Explicitly bind to endpoint 0.0.0.0

For all receivers and health_check. Adding networkpolicy for ingress on essential ports.
GoogleContainerTools · Dec 16, 2024 · 89a5757 · 89a5757
1 parent 30ba466
commit 89a5757
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 6 deletions.
diff --git a/e2e/testdata/otel-collector/otel-cm-full-gcm.yaml b/e2e/testdata/otel-collector/otel-cm-full-gcm.yaml
@@ -20,7 +20,7 @@ data:
         endpoint: 0.0.0.0:55678
     exporters:
       prometheus:
-        endpoint: :8675
+        endpoint: 0.0.0.0:8675
         namespace: config_sync
         resource_to_telemetry_conversion:
           enabled: true

diff --git a/manifests/otel-agent-cm.yaml b/manifests/otel-agent-cm.yaml
@@ -40,6 +40,7 @@ data:
         detectors: [env, gcp]
     extensions:
       health_check:
+        endpoint: "0.0.0.0:13133"
     service:
       extensions: [health_check]
       pipelines:

diff --git a/manifests/otel-agent-reconciler-cm.yaml b/manifests/otel-agent-reconciler-cm.yaml
@@ -58,6 +58,7 @@ data:
         detectors: [env, gcp]
     extensions:
       health_check:
+        endpoint: 0.0.0.0:13133
     service:
       extensions: [health_check]
       pipelines:

diff --git a/manifests/templates/otel-collector.yaml b/manifests/templates/otel-collector.yaml
@@ -29,18 +29,16 @@ data:
         endpoint: 0.0.0.0:55678
     exporters:
       prometheus:
-        endpoint: :8675
+        endpoint: 0.0.0.0:8675
         namespace: config_sync
         resource_to_telemetry_conversion:
           enabled: true
     processors:
       batch:
     extensions:
       health_check:
+        endpoint: "0.0.0.0:13133"
     service:
-      telemetry:
-        metrics:
-          address: 0.0.0.0:55678
       extensions: [health_check]
       pipelines:
         metrics:
@@ -71,6 +69,29 @@ spec:
   - name: metrics # Prometheus exporter metrics.
     port: 8675
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-port-ingress
+  namespace: config-management-monitoring
+spec:
+  podSelector:
+    matchLabels:
+      app: opentelemetry
+      component: otel-collector
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - protocol: TCP
+      port: 13133
+    - protocol: TCP
+      port: 55678
+    - protocol: TCP
+      port: 8675
+    - protocol: TCP
+      port: 8888
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/manifests/templates/reconciler-manager.yaml b/manifests/templates/reconciler-manager.yaml
@@ -150,3 +150,23 @@ spec:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-port-ingress
+  namespace: config-management-system
+spec:
+  podSelector:
+    matchLabels: {}
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - protocol: TCP
+      port: 13133
+    - protocol: TCP
+      port: 55678
+    - protocol: TCP
+      port: 8888
+
diff --git a/pkg/metrics/otel.go b/pkg/metrics/otel.go
@@ -37,7 +37,7 @@ const (
     endpoint: 0.0.0.0:55678
 exporters:
   prometheus:
-    endpoint: :8675
+    endpoint: 0.0.0.0:8675
     namespace: config_sync
     resource_to_telemetry_conversion:
       enabled: true
@@ -343,6 +343,7 @@ processors:
             aggregation_type: max
 extensions:
   health_check:
+    endpoint: "0.0.0.0:13133"
 service:
   extensions: [health_check]
   pipelines: