# 1. 创建monitoring命名空间
apiVersion: v1
kind: Namespace
metadata:
  name: monitoring
  labels:
    name: monitoring

---
# 2. 创建ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: otel-collector
  namespace: monitoring

---
# 3. 创建ClusterRole（最小权限）
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: otel-collector-role
rules:
  # 读取节点/Pod/服务元数据（基础权限）
  - apiGroups: [""]
    resources: ["nodes", "pods", "services", "endpoints", "nodes/metrics", "nodes/stats"]
    verbs: ["get", "list", "watch"]
  
  # 后续增加
  # # 新增：采集Deployment/DaemonSet/StatefulSet（apps API组）
  # - apiGroups: ["apps"]
  #   resources: ["deployments", "daemonsets", "statefulsets", "replicasets"]
  #   verbs: ["get", "list", "watch"]
  # # 新增：采集HPA（autoscaling API组）
  # - apiGroups: ["autoscaling"]
  #   resources: ["horizontalpodautoscalers"]
  #   verbs: ["get", "list", "watch"]
  # # 新增：采集k8s事件（可选，用于故障排查）
  # - apiGroups: [""]
  #   resources: ["events"]
  #   verbs: ["get", "list", "watch"]

---
# 4. 绑定ClusterRole到ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: otel-collector-binding
subjects:
  - kind: ServiceAccount
    name: otel-collector
    namespace: monitoring
roleRef:
  kind: ClusterRole
  name: otel-collector-role
  apiGroup: rbac.authorization.k8s.io