feat(nr-k8s-otel-collector): add initContainer to fix ATP storage per…

[gmanandhar-nr]

Problem

When ATP (Adaptive Telemetry Processor) is enabled, the collector fails to persist state with the following
error:

Error: open /var/lib/nrdot-collector/adaptiveprocess.db: permission denied

Root Cause: The hostPath volume at /var/lib/nrdot-collector is created by Kubernetes with root:root
ownership, but the main container runs as user 1001 (non-root), preventing ATP from writing the persistence
database.

Solution

Added a new fix-atp-storage-permissions initContainer that:

• Runs only when enable_atp: true (conditional rendering)
• Changes ownership of /var/lib/nrdot-collector to 1001:1001 before the main container starts
• Reuses the existing bitnami/kubectl image (no new dependencies)

Security

The initContainer runs with minimal privileges:

• runAsUser: 0 (required for chown)
• allowPrivilegeEscalation: false (prevents privilege escalation attacks)
• capabilities: drop: [ALL], add: [CHOWN, DAC_OVERRIDE] (only necessary capabilities)

Backward Compatibility

No impact on existing installations:

• Wrapped in {{- if .Values.enable_atp }} conditional
• Only adds initContainer when ATP is explicitly enabled
• Uses existing image (no new dependencies)
• All existing unit tests pass (213/213)

[Philip-R-Beckwith]

This seems overly heavy handed.
Why are we not using K8s built in fsGroup to fix the permissions issue?

[gmanandhar-nr]

Using fsGroup would be cleaner. However, fsGroup doesn't work with hostPath volumes, which is what we're using here.

The reason we use hostPath is because

• This is a DaemonSet - one pod per node
• ATP needs per-node persistent storage to track process metrics on each node
• hostPath ensures data survives pod restarts but stays node-specific