# 1. 权限配置
apiVersion: v1
kind: ServiceAccount
metadata:
  name: otel-agent
  namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: otel-agent-role
rules:
  # 允许读取 Pod 和 Node 信息
  - apiGroups: [""]
    resources: ["nodes", "nodes/stats", "nodes/proxy", "pods", "services", "endpoints"]
    verbs: ["get", "watch", "list"]

  # 允许读取 ReplicaSets，以便 k8sattributes 处理器解析 Deployment 名称
  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "watch", "list"]

  # 非资源型 URL 权限 (访问 Kubelet 统计接口)
  - nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: otel-agent-binding
subjects:
  - kind: ServiceAccount
    name: otel-agent
    namespace: monitoring
roleRef:
  kind: ClusterRole
  name: otel-agent-role
  apiGroup: rbac.authorization.k8s.io