OTEL refactor

[andylibrian]

This PR is currently not ready for merge.

• Agent: Use OpenTelemetry logs to publish events in favor of direct access to NATS
• Client: Introduce OpenTelemetry collector in the KubViz client cluster
• Implement a basic version of OpenTelemetry NATS exporter
• Update helm charts to accomodate the new infra

[dryrunsecurity]

DryRun Security Summary

The provided code changes cover a wide range of updates to the "kubviz" application, including improvements to the OpenTelemetry (OTEL) collector configuration, the integration with the Dgraph database, and various other enhancements to the application's functionality, with a strong focus on security practices and the need to thoroughly review the implementation and configuration to maintain a strong security posture.

Expand for full summary

Summary:

The provided code changes cover a wide range of updates to the "kubviz" application, including improvements to the OpenTelemetry (OTEL) collector configuration, the integration with the Dgraph database, and various other enhancements to the application's functionality.

From an application security perspective, the key points to consider are:

1. OTEL Collector Configuration: Ensure that the OTEL collector is properly secured, with appropriate access controls, resource limits, and secure communication channels. Review the configuration to avoid potential data exposure or resource exhaustion issues.

2. Dgraph Database Integration: Carefully review the integration with the Dgraph database, including input validation, secure communication, and proper access controls. Ensure that sensitive data is not inadvertently exposed or stored in an insecure manner.

3. Kubernetes Resource Monitoring: The application's ability to monitor and publish information about all Kubernetes resources could potentially expose sensitive data. Implement appropriate data sanitization and access controls to mitigate this risk.

4. Logging and Monitoring: Ensure that the application's logging and monitoring mechanisms do not inadvertently expose sensitive information and that they are properly configured to detect and respond to potential security incidents.

5. Dependency Management: Review the use of external libraries and dependencies, such as the Dgraph and NATS components, to ensure that they are up-to-date and free of known vulnerabilities.

Overall, the changes appear to be focused on enhancing the application's functionality and observability, but it is essential to thoroughly review the implementation and configuration to maintain a strong security posture.

Files Changed:

• .gitignore: Updates to the .gitignore file do not introduce any immediate security concerns.
• .github/workflows/otel-collector-pr.yml, .github/workflows/otel-collector-release.yml, .github/workflows/otel-collector-image.yml: These workflow files demonstrate a strong focus on security practices, such as image signing, vulnerability scanning, and SBOM generation.
• agent/config/config.go: The new configuration options should be reviewed to ensure that they do not introduce any resource exhaustion or security issues.
• agent/kubviz/otel/log.go: The logging and event publishing functionality should be reviewed to ensure that no sensitive information is accidentally logged.
• agent/kubviz/k8smetrics_agent.go: The changes introduce new plugins and functionality, which should be reviewed for potential security implications.
• agent/kubviz/plugins/events/event_metrics_utils.go: The Kubernetes event monitoring and publishing functionality should be reviewed to ensure that it does not expose any sensitive data.
• agent/kubviz/scheduler/scheduler.go, agent/kubviz/scheduler/scheduler_watch.go: The changes related to the "KubeAllResource" job should be reviewed to ensure that it does not introduce any security risks.
• charts/ directory: The Helm chart changes, including the OTEL collector configuration and Dgraph integration, should be reviewed for security considerations.
• client/ directory: The changes in the client application, particularly the Dgraph integration and Kubernetes resource monitoring, should be thoroughly reviewed for security implications.

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

Message that will be displayed on users' first pull request