OCPBUGS-27426:Add admin groups info to NetObserv

skrthomas · skrthomas · commit e22d1f28b934 · 2024-02-22T11:37:46.000-05:00
diff --git a/modules/logging-creating-new-group-cluster-admin-user-role.adoc b/modules/logging-creating-new-group-cluster-admin-user-role.adoc
@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 
-//  cluster-logging-loki.adoc
+//  * cluster-logging-loki.adoc
+//  * network_observability/installing-operators.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="logging-creating-new-group-cluster-admin-user-role_{context}"]
diff --git a/modules/logging-loki-log-access.adoc b/modules/logging-loki-log-access.adoc
@@ -12,7 +12,7 @@ In {logging} 5.8 and later, the {clo} does not grant all users access to logs by
 * Namespace scoped policies
 * Creation of custom admin groups
 
-As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. The {clo} provides the following cluster roles:
+As an administrator, you need to create the role bindings and cluster role bindings appropriate for your deployment. {clo} provides the following cluster roles:
 
 * `cluster-logging-application-view` grants permission to read application logs.
 * `cluster-logging-infrastructure-view` grants permission to read infrastructure logs.
@@ -70,10 +70,36 @@ subjects:
 ----
 <1> Specifies the namespace this `RoleBinding` applies to.
 
+tag::ForNetObserv[]
 == Custom admin group access
 
 If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
 
+ifdef::network_observability[]
+.Example LokiStack CR
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  tenants:
+    mode: openshift-network # <1>
+    openshift:
+      adminGroups: # <2>
+      - cluster-admin
+      - custom-admin-group # <3>
+----
+<1> Custom admin groups are only available in this mode.
+<2> Entering an empty list `[]` value for this field disables admin groups.
+<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+endif::network_observability[]
+
+end::ForNetObserv[]
+
+ifdef::cluster-logging-loki[]
 .Example LokiStack CR
 [source,yaml]
 ----
@@ -93,3 +119,4 @@ spec:
 <1> Custom admin groups are only available in this mode.
 <2> Entering an empty list `[]` value for this field disables admin groups.
 <3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
+endif::cluster-logging-loki[]
diff --git a/modules/network-observability-lokistack-create.adoc b/modules/network-observability-lokistack-create.adoc
@@ -8,9 +8,6 @@
 
 You can deploy a LokiStack using the web console or CLI to create a namespace, or new project.
 
-include::snippets/logging-clusteradmin-access-logs-snip.adoc[]
-For more information about creating a `cluster-admin` group, see the "Additional resources" section.
-
 .Procedure
 
 . Navigate to *Operators* -> *Installed Operators*, viewing *All projects* from the *Project* dropdown.
diff --git a/network_observability/installing-operators.adoc b/network_observability/installing-operators.adoc
@@ -29,10 +29,30 @@ include::modules/network-observability-loki-secret.adoc[leveloffset=+2]
 * xref:../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
 
 include::modules/network-observability-lokistack-create.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../logging/log_storage/cluster-logging-loki.adoc#logging-creating-new-group-cluster-admin-user-role_cluster-logging-loki[Creating a new group for the cluster-admin user role]
+include::modules/logging-creating-new-group-cluster-admin-user-role.adoc[leveloffset=+2]
+== Custom admin group access
+
+If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
+
+.Example LokiStack CR
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki
+  namespace: openshift-logging
+spec:
+  tenants:
+    mode: openshift-network # <1>
+    openshift:
+      adminGroups: # <2>
+      - cluster-admin
+      - custom-admin-group # <3>
+----
+<1> Custom admin groups are only available in this mode.
+<2> Entering an empty list `[]` value for this field disables admin groups.
+<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
 
 include::modules/loki-deployment-sizing.adoc[leveloffset=+2]
 include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2]
diff --git a/snippets/logging-clusteradmin-access-logs-snip.adoc b/snippets/logging-clusteradmin-access-logs-snip.adoc
@@ -4,7 +4,6 @@
 // Text snippet included in the following modules:
 //
 // * modules/logging-creating-new-group-cluster-admin-user-role.adoc
-// * modules/network-observability-lokistack-create.adoc
 //
 :_mod-docs-content-type: SNIPPET
 
