From 006f06b59eef2c61779ee6adff45bcd0045669c7 Mon Sep 17 00:00:00 2001 From: Sara Thomas Date: Wed, 10 May 2023 16:59:58 -0400 Subject: [PATCH] OSDOCS-5287: Network Observability multi-tenancy --- ...work-observability-auth-multi-tenancy.adoc | 62 +++++++++++++++++++ .../network-observability-multitenancy.adoc | 23 +++++++ .../installing-operators.adoc | 5 +- 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 modules/network-observability-auth-multi-tenancy.adoc create mode 100644 modules/network-observability-multitenancy.adoc diff --git a/modules/network-observability-auth-multi-tenancy.adoc b/modules/network-observability-auth-multi-tenancy.adoc new file mode 100644 index 0000000000..a41a3d3976 --- /dev/null +++ b/modules/network-observability-auth-multi-tenancy.adoc @@ -0,0 +1,62 @@ +// Module included in the following assemblies: + +// * networking/network_observability/installing-operators.adoc + +:_content-type: PROCEDURE +[id="network-observability-auth-mutli-tenancy_{context}"] += Configure authorization and multi-tenancy +Define `ClusterRole` and `ClusterRoleBinding`. The `netobserv-reader` `ClusterRole` enables multi-tenancy and allows individual user access, or group access, to the flows stored in Loki. You can create a YAML file to define these roles. + +.Procedure + +. Using the web console, click the Import icon, *+*. +. Drop your YAML file into the editor and click *Create*: ++ +[source, yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: netobserv-reader <1> +rules: +- apiGroups: + - 'loki.grafana.com' + resources: + - network + resourceNames: + - logs + verbs: + - 'get' +... +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: netobserv-writer +rules: +- apiGroups: + - 'loki.grafana.com' + resources: + - network + resourceNames: + - logs + verbs: + - 'create' +... +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: netobserv-writer-flp +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: netobserv-writer +subjects: +- kind: ServiceAccount + name: flowlogs-pipeline <2> + namespace: netobserv +- kind: ServiceAccount + name: flowlogs-pipeline-transformer + namespace: netobserv +---- +<1> This role can be used for multi-tenancy. +<2> The `flowlogs-pipeline` writes to Loki. If you are using Kafka, this value is `flowlogs-pipeline-transformer`. \ No newline at end of file diff --git a/modules/network-observability-multitenancy.adoc b/modules/network-observability-multitenancy.adoc new file mode 100644 index 0000000000..85548bf008 --- /dev/null +++ b/modules/network-observability-multitenancy.adoc @@ -0,0 +1,23 @@ +// Module included in the following assemblies: +// +// network_observability/observing-network-traffic.adoc + +:_content-type: PROCEDURE +[id="network-observability-multi-tenancy{context}"] += Enable multi-tenancy in Network Observability +Multi-tenancy in the Network Observability Operator allows and restricts individual user access, or group access, to the flows stored in Loki. Access is enabled for project admins. Project admins who have limited access to some namespaces can access flows for only those namespaces. + +.Prerequisite +* You have installed link:https://catalog.redhat.com/software/containers/openshift-logging/loki-rhel8-operator/622b46bcae289285d6fcda39[Loki Operator version 5.7] +* The `FlowCollector` `spec.loki.authToken` configuration must be set to `FORWARD`. +* You must be logged in as a project administrator +.Procedure +. Authorize reading permission to `user1` by running the following command: ++ +[source, terminal] +---- +$ oc adm policy add-cluster-role-to-user netobserv-reader user1 +---- ++ +Now, the data is restricted to only allowed user namespaces. For example, a user that has access to a single namespace can see all the flows internal to this namespace, as well as flows going from and to this namespace. +Project admins have access to the Administrator perspective in the {product-title} console to access the Network Flows Traffic page. \ No newline at end of file diff --git a/networking/network_observability/installing-operators.adoc b/networking/network_observability/installing-operators.adoc index 8065bbcea4..cf7ceccdc7 100644 --- a/networking/network_observability/installing-operators.adoc +++ b/networking/network_observability/installing-operators.adoc @@ -7,7 +7,7 @@ include::_attributes/common-attributes.adoc[] toc::[] Installing Loki is a prerequisite for using the Network Observability Operator. It is recommended to install Loki using the Loki Operator; therefore, these steps are documented below prior to the Network Observability Operator installation. -The Loki Operator integrates a gateway that implements multi-tenancy and authentication with Loki for data flow storage. The *LokiStack* resource manages *Loki*, which is a scalable, highly-available, multitenant log aggregation system, and a web proxy with {product-title} authentication. The *LokiStack* proxy uses {product-title} authentication to enforce multi-tenancy and facilitate the saving and indexing of data in *Loki* log stores. +The Loki Operator integrates a gateway that implements multi-tenancy & authentication with Loki for data flow storage. The *LokiStack* resource manages *Loki*, which is a scalable, highly-available, multi-tenant log aggregation system, and a web proxy with {product-title} authentication. The *LokiStack* proxy uses {product-title} authentication to enforce multi-tenancy and facilitate the saving and indexing of data in *Loki* log stores. [NOTE] ==== @@ -17,7 +17,8 @@ The Loki Operator can also be used for xref:../../logging/cluster-logging-loki.a include::modules/network-observability-loki-install.adoc[leveloffset=+1] include::modules/network-observability-lokistack-create.adoc[leveloffset=+2] include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2] -include::modules/network-observability-roles-create.adoc[leveloffset=+1] +include::modules/network-observability-auth-multi-tenancy.adoc[leveloffset=+1] +include::modules/network-observability-multitenancy.adoc[leveloffset=+1] include::modules/network-observability-kafka-option.adoc[leveloffset=+1] include::modules/network-observability-operator-install.adoc[leveloffset=+1]