Skip to content

OCPBUGS-27426:Add admin groups info to NetObserv #72058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 22, 2024
Merged

OCPBUGS-27426:Add admin groups info to NetObserv #72058

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion logging/log_storage/cluster-logging-loki.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ ifdef::openshift-enterprise[]
* xref:../../nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.adoc#nodes-scheduler-pod-topology-spread-constraints-configuring[Controlling pod placement by using pod topology spread constraints]
endif::[]

include::modules/logging-loki-log-access.adoc[leveloffset=+1]
include::modules/logging-loki-log-access.adoc[leveloffset=+1,tag=!NetObservMode]

[role="_additional-resources"]
.Additional resources
Expand Down
3 changes: 2 additions & 1 deletion modules/logging-creating-new-group-cluster-admin-user-role.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// Module included in the following assemblies:

// cluster-logging-loki.adoc
// * cluster-logging-loki.adoc
// * network_observability/installing-operators.adoc

:_mod-docs-content-type: PROCEDURE
[id="logging-creating-new-group-cluster-admin-user-role_{context}"]
Expand Down
8 changes: 8 additions & 0 deletions modules/logging-loki-log-access.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
// Module included in the following assemblies:
//
// * network_observability/installing-operators.adoc
// * logging/cluster-logging-loki.adoc

:_mod-docs-content-type: CONCEPT
Expand Down Expand Up @@ -70,6 +71,7 @@ subjects:
----
<1> Specifies the namespace this `RoleBinding` applies to.

// tag::CustomAdmin[]
== Custom admin group access

If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role.
Expand All @@ -84,7 +86,12 @@ metadata:
namespace: openshift-logging
spec:
tenants:
# tag::LokiMode[]
mode: openshift-logging # <1>
# end::LokiMode[]
# tag::NetObservMode[]
mode: openshift-network # <1>
# end::NetObservMode[]
openshift:
adminGroups: # <2>
- cluster-admin
Expand All @@ -93,3 +100,4 @@ spec:
<1> Custom admin groups are only available in this mode.
<2> Entering an empty list `[]` value for this field disables admin groups.
<3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`)
// end::CustomAdmin[]
3 changes: 0 additions & 3 deletions modules/network-observability-lokistack-create.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@

You can deploy a LokiStack using the web console or CLI to create a namespace, or new project.

include::snippets/logging-clusteradmin-access-logs-snip.adoc[]
For more information about creating a `cluster-admin` group, see the "Additional resources" section.

.Procedure

. Navigate to *Operators* -> *Installed Operators*, viewing *All projects* from the *Project* dropdown.
Expand Down
7 changes: 2 additions & 5 deletions network_observability/installing-operators.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,8 @@ include::modules/network-observability-loki-secret.adoc[leveloffset=+2]
* xref:../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
include::modules/network-observability-lokistack-create.adoc[leveloffset=+2]
[role="_additional-resources"]
.Additional resources
* xref:../logging/log_storage/cluster-logging-loki.adoc#logging-creating-new-group-cluster-admin-user-role_cluster-logging-loki[Creating a new group for the cluster-admin user role]
include::modules/logging-creating-new-group-cluster-admin-user-role.adoc[leveloffset=+2]
include::modules/logging-loki-log-access.adoc[leveloffset=+1,tags=CustomAdmin;NetObservMode;!LokiMode]
include::modules/loki-deployment-sizing.adoc[leveloffset=+2]
include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2]
include::modules/network-observability-auth-multi-tenancy.adoc[leveloffset=+2]
Expand Down
1 change: 0 additions & 1 deletion snippets/logging-clusteradmin-access-logs-snip.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
// Text snippet included in the following modules:
//
// * modules/logging-creating-new-group-cluster-admin-user-role.adoc
// * modules/network-observability-lokistack-create.adoc
//
:_mod-docs-content-type: SNIPPET

Expand Down