OCPBUGS-27426:Add admin groups info to NetObserv

Author: skrthomas

logging/log_storage/cluster-logging-loki.adoc

@@ -39,7 +39,8 @@ ifdef::openshift-enterprise[]
 * xref:../../nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.adoc#nodes-scheduler-pod-topology-spread-constraints-configuring[Controlling pod placement by using pod topology spread constraints]
 endif::[]
 
-include::modules/logging-loki-log-access.adoc[leveloffset=+1]
+include::modules/logging-loki-log-access.adoc[leveloffset=+1,tag=ForLoki]
+
 
 [role="_additional-resources"]
 .Additional resources

modules/logging-creating-new-group-cluster-admin-user-role.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 
-//  cluster-logging-loki.adoc
+//  * cluster-logging-loki.adoc
+//  * network_observability/installing-operators.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="logging-creating-new-group-cluster-admin-user-role_{context}"]

modules/logging-loki-log-access.adoc

@@ -4,6 +4,7 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="logging-loki-log-access_{context}"]
+tag::ForLoki[]
 = Fine grained access for Loki logs
 
 In {logging} 5.8 and later, the {clo} does not grant all users access to logs by default. As an administrator, you must configure your users' access unless the Operator was upgraded and prior configurations are in place. Depending on your configuration and need, you can configure fine grain access to logs using the following:
@@ -12,7 +13,7 @@ In {logging} 5.8 and later, the {clo} does not grant all users access to logs by
 * Namespace scoped policies
 * Creation of custom admin groups
 
-As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. The {clo} provides the following cluster roles:
+As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. {clo} provides the following cluster roles:
 
 * `cluster-logging-application-view` grants permission to read application logs.
 * `cluster-logging-infrastructure-view` grants permission to read infrastructure logs.
@@ -93,3 +94,30 @@ spec:
 <1> Custom admin groups are only available in this mode.
 <2> Entering an empty list `[]` value for this field disables admin groups.
 <3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+end::ForLoki[]
+
+tag::ForNetObserv[]
+== Custom admin group access
+
+If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
+
+.Example LokiStack CR
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  tenants:
+    mode: openshift-network # <1>
+    openshift:
+      adminGroups: # <2>
+      - cluster-admin
+      - custom-admin-group # <3>
+----
+<1> Custom admin groups are only available in this mode.
+<2> Entering an empty list `[]` value for this field disables admin groups.
+<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+end::ForNetObserv[]

modules/network-observability-lokistack-create.adoc

@@ -8,9 +8,6 @@
 
 You can deploy a LokiStack using the web console or CLI to create a namespace, or new project.
 
-include::snippets/logging-clusteradmin-access-logs-snip.adoc[]
-For more information about creating a `cluster-admin` group, see the "Additional resources" section.
-
 .Procedure
 
 . Navigate to *Operators* -> *Installed Operators*, viewing *All projects* from the *Project* dropdown.

network_observability/installing-operators.adoc

@@ -29,10 +29,9 @@ include::modules/network-observability-loki-secret.adoc[leveloffset=+2]
 * xref:../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
 
 include::modules/network-observability-lokistack-create.adoc[leveloffset=+2]
+include::modules/logging-creating-new-group-cluster-admin-user-role.adoc[leveloffset=+2]
+include::modules/logging-loki-log-access.adoc[leveloffset=+2,tag=ForNetObserv]
 
-[role="_additional-resources"]
-.Additional resources
-* xref:../logging/log_storage/cluster-logging-loki.adoc#logging-creating-new-group-cluster-admin-user-role_cluster-logging-loki[Creating a new group for the cluster-admin user role]
 
 include::modules/loki-deployment-sizing.adoc[leveloffset=+2]
 include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2]

snippets/logging-clusteradmin-access-logs-snip.adoc

@@ -4,7 +4,6 @@
 // Text snippet included in the following modules:
 //
 // * modules/logging-creating-new-group-cluster-admin-user-role.adoc
-// * modules/network-observability-lokistack-create.adoc
 //
 :_mod-docs-content-type: SNIPPET