Scope profile RBAC to k8s profile presets

povilasv · povilasv · commit 2779fd7ea4d0 · 2026-05-04T13:15:42.000+03:00
diff --git a/charts/opentelemetry-collector/CHANGELOG.md b/charts/opentelemetry-collector/CHANGELOG.md
@@ -7,6 +7,7 @@
 - [Feat] Forward eBPF profiler profiles to a node-local agent over OTLP by default, keeping Kubernetes attributes and profile service-name mapping on the standard agent collector.
 - [Feat] Add the `x-coralogix-ingress: otlp/v1.10.0` header to Coralogix profile exports.
 - [Fix] Match profile Kubernetes attributes by `container.id` before falling back to connection-based pod association.
+- [Fix] Scope profile Kubernetes RBAC to the `profilesCollection` and `profilesK8sAttributes` presets that configure `k8sattributes/profiles`.
 
 ### v0.131.0 / 2026-04-30
 
diff --git a/charts/opentelemetry-collector/templates/clusterrole.yaml b/charts/opentelemetry-collector/templates/clusterrole.yaml
@@ -1,6 +1,4 @@
-{{- $ebpfProfilerNeedsK8sRBAC := and (.Values.presets.ebpfProfiler.enabled) (not .Values.presets.ebpfProfiler.forwardToAgent.enabled) -}}
-{{- $profilesK8sAttributesNeedsRBAC := and (.Values.presets.profilesK8sAttributes.enabled) (not (and .Values.presets.ebpfProfiler.enabled .Values.presets.ebpfProfiler.forwardToAgent.enabled)) -}}
-{{- if or (.Values.clusterRole.create) (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.clusterMetrics.enabled) (.Values.presets.kubeletMetrics.enabled) (.Values.presets.kubernetesEvents.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.kubernetesResources.enabled) (.Values.presets.profilesCollection.enabled) ($profilesK8sAttributesNeedsRBAC) ($ebpfProfilerNeedsK8sRBAC) (.Values.presets.loadBalancing.k8s.enabled) (.Values.presets.kubernetesExtraMetrics.enabled) (.Values.presets.kubernetesApiServerMetrics.enabled) (.Values.presets.prometheusAnnotationDiscovery.enabled) (eq .Values.distribution "eks/fargate") -}}
+{{- if or (.Values.clusterRole.create) (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.clusterMetrics.enabled) (.Values.presets.kubeletMetrics.enabled) (.Values.presets.kubernetesEvents.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.kubernetesResources.enabled) (.Values.presets.profilesCollection.enabled) (.Values.presets.profilesK8sAttributes.enabled) (.Values.presets.loadBalancing.k8s.enabled) (.Values.presets.kubernetesExtraMetrics.enabled) (.Values.presets.kubernetesApiServerMetrics.enabled) (.Values.presets.prometheusAnnotationDiscovery.enabled) (eq .Values.distribution "eks/fargate") -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -17,7 +15,7 @@ rules:
   {{- if .Values.clusterRole.rules -}}
   {{ toYaml .Values.clusterRole.rules | nindent 2 -}}
   {{- end }}
-  {{- if or (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.profilesCollection.enabled) ($profilesK8sAttributesNeedsRBAC) ($ebpfProfilerNeedsK8sRBAC) }}
+  {{- if or (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.profilesCollection.enabled) (.Values.presets.profilesK8sAttributes.enabled) }}
   - apiGroups: [""]
     resources: ["pods", "namespaces"]
     verbs: ["get", "watch", "list"]
diff --git a/charts/opentelemetry-collector/templates/clusterrolebinding.yaml b/charts/opentelemetry-collector/templates/clusterrolebinding.yaml
@@ -1,6 +1,4 @@
-{{- $ebpfProfilerNeedsK8sRBAC := and (.Values.presets.ebpfProfiler.enabled) (not .Values.presets.ebpfProfiler.forwardToAgent.enabled) -}}
-{{- $profilesK8sAttributesNeedsRBAC := and (.Values.presets.profilesK8sAttributes.enabled) (not (and .Values.presets.ebpfProfiler.enabled .Values.presets.ebpfProfiler.forwardToAgent.enabled)) -}}
-{{- if or (.Values.clusterRole.create) (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.clusterMetrics.enabled) (.Values.presets.kubeletMetrics.enabled) (.Values.presets.kubernetesEvents.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.kubernetesResources.enabled) (.Values.presets.profilesCollection.enabled) ($profilesK8sAttributesNeedsRBAC) ($ebpfProfilerNeedsK8sRBAC) (.Values.presets.loadBalancing.k8s.enabled) (.Values.presets.kubernetesExtraMetrics.enabled) (.Values.presets.kubernetesApiServerMetrics.enabled) (eq .Values.distribution "eks/fargate") -}}
+{{- if or (.Values.clusterRole.create) (.Values.presets.kubernetesAttributes.enabled) (.Values.presets.clusterMetrics.enabled) (.Values.presets.kubeletMetrics.enabled) (.Values.presets.kubernetesEvents.enabled) (.Values.presets.mysql.metrics.enabled) (.Values.presets.kubernetesResources.enabled) (.Values.presets.profilesCollection.enabled) (.Values.presets.profilesK8sAttributes.enabled) (.Values.presets.loadBalancing.k8s.enabled) (.Values.presets.kubernetesExtraMetrics.enabled) (.Values.presets.kubernetesApiServerMetrics.enabled) (eq .Values.distribution "eks/fargate") -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
