Skip to content

fix(webhook): check probes and scrapeconfigs RBAC only when CRDs exist#5011

Open
u-kai wants to merge 3 commits into
open-telemetry:mainfrom
u-kai:fix/issue-4456
Open

fix(webhook): check probes and scrapeconfigs RBAC only when CRDs exist#5011
u-kai wants to merge 3 commits into
open-telemetry:mainfrom
u-kai:fix/issue-4456

Conversation

@u-kai

@u-kai u-kai commented Apr 29, 2026

Copy link
Copy Markdown

Description:

The webhook RBAC check for PrometheusCR only warned about servicemonitors and podmonitors,
missing probes and scrapeconfigs.

Also, warnings were emitted even when prometheus-operator was not installed in the cluster.

This fix dynamically discovers which monitoring.coreos.com CRDs exist in the cluster via the
discovery API, and only includes those in the RBAC check.

Clusters without prometheus-operator installed will no longer receive false-positive warnings.

Link to tracking Issue(s):

Testing:
Updated unit tests in targetallocator_webhook_test.go and collector_webhook_test.go to cover the new dynamic CRD discovery behavior, including a case where no prometheus-operator CRDs are installed (zero warnings expected).

Documentation:

(open-telemetry#4456)

Signed-off-by: u-kai <76635578+u-kai@users.noreply.github.com>
@swiatekm

Copy link
Copy Markdown
Contributor

Rather than doing this in the webhook, detecting these should be a part of the autodetect package. Right now we store a PrometheusCRAvailable boolean value in the config, whereas it should be a list of the available CRDs. Then the webhook would just pull it from the config. This may require some refactoring along the way.

Signed-off-by: u-kai <76635578+u-kai@users.noreply.github.com>
@u-kai

u-kai commented May 3, 2026

Copy link
Copy Markdown
Author

@swiatekm
Thanks for the comment!
I've fixed the code following your advice.

@u-kai u-kai marked this pull request as ready for review May 26, 2026 11:56
@u-kai u-kai requested a review from a team as a code owner May 26, 2026 11:56
@u-kai u-kai requested review from pavolloffay and yuriolisa May 26, 2026 11:56

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this being removed? this is the pattern we follow for this so we have a well typed signature. We could instead add multiple values here for each of the CRDs we care about checking.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the comment.

The reason for using []string instead of extending Availability is that the value is consumed directly as rbacv1.PolicyRule.Resources (which is
[]string), so keeping it as []string throughout avoids any type conversion at the call site.

That said, would it make sense to introduce a named type like type AvailableCRDs []string as a lightweight wrapper to preserve the well-typed
signature pattern used elsewhere in this package?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Incomplete RBAC validation for target allocator scrapeconfigs and probes permissions

3 participants