[receiver/k8scluster] add support for observing resources for a speci…

…fic namespace (open-telemetry#35727)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

This PR extends the k8scluster receiver with an option to limit the
observed resources to a specific namespace.

<!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
Fixes open-telemetry#9401 

<!--Describe what testing was performed and which tests were added.-->
#### Testing

added unit and e2e tests

<!--Describe the documentation added.-->
#### Documentation

Added section about how to make use of Roles and RoleBindings instead of
ClusterRoles and ClusterRoleBindings

---------

Signed-off-by: Florian Bacher <[email protected]>
Co-authored-by: Tyler Helmuth <[email protected]>
Co-authored-by: Evan Bradley <[email protected]>

.chloggen/k8sclusterreceiver-namespaced.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: k8sclusterreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for limiting observed resources to a specific namespace.
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [9401]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: This change allows to make use of this receiver with `Roles`/`RoleBindings`, as opposed to giving the collector cluster-wide read access.
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []

receiver/k8sclusterreceiver/README.md

@@ -62,6 +62,7 @@ The following allocatable resource types are available.
   - storage
 - `metrics`: Allows to enable/disable metrics.
 - `resource_attributes`: Allows to enable/disable resource attributes.
+- `namespace`: Allows to observe resources for a particular namespace only. If this option is set to a non-empty string, `Nodes`, `Namespaces` and `ClusterResourceQuotas` will not be observed. 
 
 Example:
 
@@ -273,6 +274,97 @@ subjects:
 EOF
 ```
 
+As an alternative to setting up a `ClusterRole`/`ClusterRoleBinding`, it is also possible to limit the observed resources to a
+particular namespace by setting the `namespace` option of the receiver. This allows the collector to only rely on `Roles`/`RoleBindings`, 
+instead of granting the collector cluster-wide read access to resources.
+Note however, that in this case the following resources will not be observed by the `k8sclusterreceiver`:
+
+- `Nodes`
+- `Namespaces`
+- `ClusterResourceQuotas`
+
+To use this approach, use the commands below to create the required `Role` and `RoleBinding`:
+
+```bash
+<<EOF | kubectl apply -f -
+metadata:
+  name: otelcontribcol
+  labels:
+    app: otelcontribcol
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+      - pods
+      - pods/status
+      - replicationcontrollers
+      - replicationcontrollers/status
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+      - cronjobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+EOF
+```
+
+```bash
+<<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: otelcontribcol
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: otelcontribcol
+subjects:
+  - kind: ServiceAccount
+    name: otelcontribcol
+    namespace: default
+EOF
+```
+
 ### Deployment
 
 Create a [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to deploy the collector.

receiver/k8sclusterreceiver/config.go

@@ -39,6 +39,11 @@ type Config struct {
 
 	// MetricsBuilderConfig allows customizing scraped metrics/attributes representation.
 	metadata.MetricsBuilderConfig `mapstructure:",squash"`
+
+	// Namespace to fetch resources from. If this is set, certain cluster-wide resources such as Nodes or Namespaces
+	// will not be able to be observed. Setting this option is recommended in environments where due to security restrictions
+	// the collector can not be granted cluster-wide permissions.
+	Namespace string `mapstructure:"namespace"`
 }
 
 func (cfg *Config) Validate() error {
@@ -48,5 +53,6 @@ func (cfg *Config) Validate() error {
 	default:
 		return fmt.Errorf("\"%s\" is not a supported distribution. Must be one of: \"openshift\", \"kubernetes\"", cfg.Distribution)
 	}
+
 	return nil
 }