OCPBUGS-27426:Add admin groups info to NetObserv

skrthomas · skrthomas · commit 1e1eab96ed1b · 2024-02-22T15:21:48.000-05:00
diff --git a/logging/log_storage/cluster-logging-loki.adoc b/logging/log_storage/cluster-logging-loki.adoc
@@ -39,7 +39,8 @@ ifdef::openshift-enterprise[]
 * xref:../../nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.adoc#nodes-scheduler-pod-topology-spread-constraints-configuring[Controlling pod placement by using pod topology spread constraints]
 endif::[]
 
-include::modules/logging-loki-log-access.adoc[leveloffset=+1]
+include::modules/logging-loki-log-access.adoc[leveloffset=+1,tag=ForLoki]
+
 
 [role="_additional-resources"]
 .Additional resources
diff --git a/modules/logging-creating-new-group-cluster-admin-user-role.adoc b/modules/logging-creating-new-group-cluster-admin-user-role.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 
-//  cluster-logging-loki.adoc
+//  * cluster-logging-loki.adoc
+//  * network_observability/installing-operators.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="logging-creating-new-group-cluster-admin-user-role_{context}"]
diff --git a/modules/logging-loki-log-access.adoc b/modules/logging-loki-log-access.adoc
@@ -1,9 +1,11 @@
 // Module included in the following assemblies:
 //
+// * network_observability/installing-operators.adoc
 // * logging/cluster-logging-loki.adoc
 
 :_mod-docs-content-type: CONCEPT
 [id="logging-loki-log-access_{context}"]
+tag::ForLoki[]
 = Fine grained access for Loki logs
 
 In {logging} 5.8 and later, the {clo} does not grant all users access to logs by default. As an administrator, you must configure your users' access unless the Operator was upgraded and prior configurations are in place. Depending on your configuration and need, you can configure fine grain access to logs using the following:
@@ -93,3 +95,30 @@ spec:
 <1> Custom admin groups are only available in this mode.
 <2> Entering an empty list `[]` value for this field disables admin groups.
 <3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+end::ForLoki[]
+
+tag::ForNetObserv[]
+= Custom admin group access
+
+If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
+
+.Example LokiStack CR
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  tenants:
+    mode: openshift-network # <1>
+    openshift:
+      adminGroups: # <2>
+      - cluster-admin
+      - custom-admin-group # <3>
+----
+<1> Custom admin groups are only available in this mode.
+<2> Entering an empty list `[]` value for this field disables admin groups.
+<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+end::ForNetObserv[]
diff --git a/modules/network-observability-lokistack-create.adoc b/modules/network-observability-lokistack-create.adoc
@@ -8,9 +8,6 @@
 
 You can deploy a LokiStack using the web console or CLI to create a namespace, or new project.
 
-include::snippets/logging-clusteradmin-access-logs-snip.adoc[]
-For more information about creating a `cluster-admin` group, see the "Additional resources" section.
-
 .Procedure
 
 . Navigate to *Operators* -> *Installed Operators*, viewing *All projects* from the *Project* dropdown.
diff --git a/network_observability/installing-operators.adoc b/network_observability/installing-operators.adoc
@@ -29,10 +29,9 @@ include::modules/network-observability-loki-secret.adoc[leveloffset=+2]
 * xref:../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
 
 include::modules/network-observability-lokistack-create.adoc[leveloffset=+2]
+include::modules/logging-creating-new-group-cluster-admin-user-role.adoc[leveloffset=+2]
+include::modules/logging-loki-log-access.adoc[leveloffset=+1,tag=ForNetObserv]
 
-[role="_additional-resources"]
-.Additional resources
-* xref:../logging/log_storage/cluster-logging-loki.adoc#logging-creating-new-group-cluster-admin-user-role_cluster-logging-loki[Creating a new group for the cluster-admin user role]
 
 include::modules/loki-deployment-sizing.adoc[leveloffset=+2]
 include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2]
diff --git a/snippets/logging-clusteradmin-access-logs-snip.adoc b/snippets/logging-clusteradmin-access-logs-snip.adoc
@@ -4,7 +4,6 @@
 // Text snippet included in the following modules:
 //
 // * modules/logging-creating-new-group-cluster-admin-user-role.adoc
-// * modules/network-observability-lokistack-create.adoc
 //
 :_mod-docs-content-type: SNIPPET
 
