OSDOCS-5287: Network Observability multi-tenancy

2026-02-05 21:46:22 +01:00 · 2023-05-10 16:59:58 -04:00
parent a9dceca878
commit 006f06b59e
3 changed files with 88 additions and 2 deletions
--- a/modules/network-observability-auth-multi-tenancy.adoc
+++ b/modules/network-observability-auth-multi-tenancy.adoc
@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+
+// * networking/network_observability/installing-operators.adoc
+
+:_content-type: PROCEDURE
+[id="network-observability-auth-mutli-tenancy_{context}"]
+= Configure authorization and multi-tenancy
+Define `ClusterRole` and `ClusterRoleBinding`. The `netobserv-reader` `ClusterRole` enables multi-tenancy and allows individual user access, or group access, to the flows stored in Loki. You can create a YAML file to define these roles.  
+
+.Procedure
+
+. Using the web console, click the Import icon, *+*. 
+. Drop your YAML file into the editor and click *Create*: 
+
+[source, yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: netobserv-reader    <1>
+rules:
+- apiGroups:
+  - 'loki.grafana.com'
+  resources:
+  - network
+  resourceNames:
+  - logs
+  verbs:
+  - 'get'
+...
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: netobserv-writer
+rules:
+- apiGroups:
+  - 'loki.grafana.com'
+  resources:
+  - network
+  resourceNames:
+  - logs
+  verbs:
+  - 'create'
+...
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: netobserv-writer-flp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: netobserv-writer
+subjects:
+- kind: ServiceAccount
+  name: flowlogs-pipeline    <2>
+  namespace: netobserv
+- kind: ServiceAccount
+  name: flowlogs-pipeline-transformer
+  namespace: netobserv
+----
+<1> This role can be used for multi-tenancy. 
+<2> The `flowlogs-pipeline` writes to Loki. If you are using Kafka, this value is `flowlogs-pipeline-transformer`.
--- a/modules/network-observability-multitenancy.adoc
+++ b/modules/network-observability-multitenancy.adoc
@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// network_observability/observing-network-traffic.adoc
+
+:_content-type: PROCEDURE
+[id="network-observability-multi-tenancy{context}"]
+= Enable multi-tenancy in Network Observability
+Multi-tenancy in the Network Observability Operator allows and restricts individual user access, or group access, to the flows stored in Loki. Access is enabled for project admins. Project admins who have limited access to some namespaces can access flows for only those namespaces.
+
+.Prerequisite
+* You have installed link:https://catalog.redhat.com/software/containers/openshift-logging/loki-rhel8-operator/622b46bcae289285d6fcda39[Loki Operator version 5.7] 
+* The `FlowCollector` `spec.loki.authToken` configuration must be set to `FORWARD`.
+* You must be logged in as a project administrator
+.Procedure
+. Authorize reading permission to `user1` by running the following command: 
+
+[source, terminal]
+----
+$ oc adm policy add-cluster-role-to-user netobserv-reader user1
+----
+
+Now, the data is restricted to only allowed user namespaces. For example, a user that has access to a single namespace can see all the flows internal to this namespace, as well as flows going from and to this namespace.
+Project admins have access to the Administrator perspective in the {product-title} console to access the Network Flows Traffic page.
--- a/networking/network_observability/installing-operators.adoc
+++ b/networking/network_observability/installing-operators.adoc
@@ -7,7 +7,7 @@ include::_attributes/common-attributes.adoc[]
 toc::[]
 Installing Loki is a prerequisite for using the Network Observability Operator. It is recommended to install Loki using the Loki Operator; therefore, these steps are documented below prior to the Network Observability Operator installation.

-The Loki Operator integrates a gateway that implements multi-tenancy and authentication with Loki for data flow storage. The *LokiStack* resource manages *Loki*, which is a scalable, highly-available, multitenant log aggregation system, and a web proxy with {product-title} authentication. The *LokiStack* proxy uses {product-title} authentication to enforce multi-tenancy and facilitate the saving and indexing of data in *Loki* log stores. 
+The Loki Operator integrates a gateway that implements multi-tenancy & authentication with Loki for data flow storage. The *LokiStack* resource manages *Loki*, which is a scalable, highly-available, multi-tenant log aggregation system, and a web proxy with {product-title} authentication. The *LokiStack* proxy uses {product-title} authentication to enforce multi-tenancy and facilitate the saving and indexing of data in *Loki* log stores. 

 [NOTE]
 ====
@@ -17,7 +17,8 @@ The Loki Operator can also be used for xref:../../logging/cluster-logging-loki.a
 include::modules/network-observability-loki-install.adoc[leveloffset=+1]
 include::modules/network-observability-lokistack-create.adoc[leveloffset=+2]
 include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2]
-include::modules/network-observability-roles-create.adoc[leveloffset=+1]
+include::modules/network-observability-auth-multi-tenancy.adoc[leveloffset=+1]
+include::modules/network-observability-multitenancy.adoc[leveloffset=+1]
 include::modules/network-observability-kafka-option.adoc[leveloffset=+1]
 include::modules/network-observability-operator-install.adoc[leveloffset=+1]