mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
123 lines
4.5 KiB
Plaintext
123 lines
4.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * observability/network_observability/installing-operators.adoc
|
|
// * logging/cluster-logging-loki.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="logging-loki-log-access_{context}"]
|
|
= Fine grained access for Loki logs
|
|
|
|
In {logging} 5.8 and later, the {clo} does not grant all users access to logs by default. As an administrator, you must configure your users' access unless the Operator was upgraded and prior configurations are in place. Depending on your configuration and need, you can configure fine grain access to logs using the following:
|
|
|
|
* Cluster wide policies
|
|
* Namespace scoped policies
|
|
* Creation of custom admin groups
|
|
|
|
As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. The {clo} provides the following cluster roles:
|
|
|
|
* `cluster-logging-application-view` grants permission to read application logs.
|
|
* `cluster-logging-infrastructure-view` grants permission to read infrastructure logs.
|
|
* `cluster-logging-audit-view` grants permission to read audit logs.
|
|
|
|
If you have upgraded from a prior version, an additional cluster role `logging-application-logs-reader` and associated cluster role binding `logging-all-authenticated-application-logs-reader` provide backward compatibility, allowing any authenticated user read access in their namespaces.
|
|
|
|
[NOTE]
|
|
====
|
|
Users with access by namespace must provide a namespace when querying application logs.
|
|
====
|
|
|
|
== Cluster wide access
|
|
Cluster role binding resources reference cluster roles, and set permissions cluster wide.
|
|
|
|
.Example ClusterRoleBinding
|
|
[source,yaml]
|
|
----
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: logging-all-application-logs-reader
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-logging-application-view # <1>
|
|
subjects: # <2>
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
----
|
|
<1> Additional `ClusterRoles` are `cluster-logging-infrastructure-view`, and `cluster-logging-audit-view`.
|
|
<2> Specifies the users or groups this object applies to.
|
|
|
|
== Namespaced access
|
|
|
|
`RoleBinding` resources can be used with `ClusterRole` objects to define the namespace a user or group has access to logs for.
|
|
|
|
.Example RoleBinding
|
|
[source,yaml]
|
|
----
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: allow-read-logs
|
|
namespace: log-test-0 # <1>
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-logging-application-view
|
|
subjects:
|
|
- kind: User
|
|
apiGroup: rbac.authorization.k8s.io
|
|
name: testuser-0
|
|
----
|
|
<1> Specifies the namespace this `RoleBinding` applies to.
|
|
|
|
// tag::CustomAdmin[]
|
|
== Custom admin group access
|
|
|
|
// tag::LokiMode[]
|
|
If you have a large deployment with several users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered administrators.
|
|
// end::LokiMode[]
|
|
|
|
// tag::NetObservMode[]
|
|
If you need to see cluster-wide logs without necessarily being an administrator, or if you already have any group defined that you want to use here, you can specify a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` custom resource (CR) have the same read access to logs as administrators.
|
|
// end::NetObservMode[]
|
|
|
|
// tag::LokiMode[]
|
|
Administrator users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
|
|
// end::LokiMode[]
|
|
|
|
// tag::NetObservMode[]
|
|
Administrator users have access to all network logs across the cluster.
|
|
// end::NetObservMode[]
|
|
|
|
.Example LokiStack CR
|
|
[source,yaml]
|
|
----
|
|
apiVersion: loki.grafana.com/v1
|
|
kind: LokiStack
|
|
metadata:
|
|
# tag::LokiMode[]
|
|
name: logging-loki
|
|
namespace: openshift-logging
|
|
# end::LokiMode[]
|
|
# tag::NetObservMode[]
|
|
name: loki
|
|
namespace: netobserv
|
|
# end::NetObservMode[]
|
|
spec:
|
|
tenants:
|
|
# tag::LokiMode[]
|
|
mode: openshift-logging # <1>
|
|
# end::LokiMode[]
|
|
# tag::NetObservMode[]
|
|
mode: openshift-network # <1>
|
|
# end::NetObservMode[]
|
|
openshift:
|
|
adminGroups: # <2>
|
|
- cluster-admin
|
|
- custom-admin-group # <3>
|
|
----
|
|
<1> Custom admin groups are only available in this mode.
|
|
<2> Entering an empty list `[]` value for this field disables admin groups.
|
|
<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
|
|
// end::CustomAdmin[] |