openshift · andreasgerstmayr · Jul 11, 2025
diff --git a/observability/otel/otel-collector/otel-collector-receivers.adoc b/observability/otel/otel-collector/otel-collector-receivers.adoc
@@ -645,6 +645,87 @@ include::snippets/technology-preview.adoc[]
 <1> A list of file glob patterns that match the file paths to be read.
 <2> An array of Operators. Each Operator performs a simple task such as parsing a timestamp or JSON. To process logs into a desired format, chain the Operators together.
 
+.OpenTelemetry Collector custom resource with enabled Filelog Receiver that parses OpenShift cluster logs
+[source,yaml]
+----
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: otel-clusterlogs-collector-scc <1>
+allowPrivilegedContainer: false
+requiredDropCapabilities:
+- ALL
+allowHostDirVolumePlugin: true
+volumes:
+- configMap
+- emptyDir
+- hostPath
+- projected
+- secret
+defaultAllowPrivilegeEscalation: false
+allowPrivilegeEscalation: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+readOnlyRootFilesystem: true
+forbiddenSysctls:
+- '*'
+seccompProfiles:
+- runtime/default
+users:
+- system:serviceaccount:observability:clusterlogs-collector <2>
+---
+apiVersion: opentelemetry.io/v1beta1
+kind: OpenTelemetryCollector
+metadata:
+  name: clusterlogs
+  namespace: observability
+spec:
+  mode: daemonset
+  config:
+    receivers:
+      filelog:
+        include:
+        - /var/log/pods/*/*/*.log
+        exclude:
+        - /var/log/pods/*/otc-container/*.log <3>
+        include_file_path: true
+        include_file_name: false
+        operators:
+        - type: container
+    exporters:
+      debug:
+        verbosity: detailed
+    service:
+      pipelines:
+        logs:
+          receivers: [filelog]
+          exporters: [debug]
+  securityContext:
+    runAsUser: 0
+    seLinuxOptions:
+      type: spc_t
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+      - ALL
+  volumeMounts:
+  - name: varlogpods
+    mountPath: /var/log/pods
+    readOnly: true
+  volumes:
+  - name: varlogpods
+    hostPath:
+      path: /var/log/pods
+----
+<1> Configure a Security Context Constraint (SCC) to allow accessing files on the host
+<2> Assign the SCC to the collector Service Account (the OpenTelemetry Operator creates this Service Account)
+<3> Exclude logs from the collector container. In this example configuration, the container prints all cluster logs to stdout for demonstration purposes, which would create a loop.
+
 [id="journald-receiver_{context}"]
 == Journald Receiver