Details
-
Bug
-
Resolution: Not a Bug
-
Undefined
-
Logging 5.4.0
-
None
-
False
-
None
-
False
-
NEW
-
OBSDA-7 - Adopting Loki as an alternative to Elasticsearch to support more lightweight, easier to manage/operate storage scenarios
-
NEW
-
Logging (LogExp) - Sprint 217
Description
Description of problem:
The cluster admin can not see the journal logs and audit logs. But the common user with get rule can see them before it own private project.
The common user should not see infra and audit logs.
Version-Release number of selected component (if applicable):
cluster-logging.5.4.0-123
loki-operator.5.4.0-26
How reproducible:
Always
Steps to Reproduce:
1. Create Lokistack
2. Create rolebindings
cat <<EOF |oc create -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${lokistack_name}-tenant-all-create
rules:
- apiGroups:
- 'loki.grafana.com'
resources:
- application
- infrastructure
- audit
resourceNames:
- logs
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${lokistack_name}-tenant-all-get
rules:
- apiGroups:
- 'loki.grafana.com'
resources:
- application
- infrastructure
- audit
resourceNames:
- logs
verbs:
- 'get'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ${lokistack_name}-tenant-app-get
rules:
- apiGroups:
- 'loki.grafana.com'
resources:
- application
resourceNames:
- logs
verbs:
- 'get'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${lokistack_name}-tenant-binding-all-create
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${lokistack_name}-tenant-all-create
subjects:
- kind: ServiceAccount
name: logcollector
namespace: openshift-logging
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ${lokistack_name}-tenant-binding-all-get
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ${lokistack_name}-tenant-all-get
subjects:
- kind: User
name: testuser-1
- kind: User
name: testuser-2
EOF
3) Forward logs to lokistack.
cat <<EOF |oc create -f - apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: loki-app type: loki url: http://${gataway_svc_name}/api/logs/v1/application secret: name: lokistack-gateway-bearer-token - name: loki-infra type: loki url: http://${gataway_svc_name}/api/logs/v1/infrastructure secret: name: lokistack-gateway-bearer-token - name: loki-audit type: loki url: http://${gataway_svc_name}/api/logs/v1/audit secret: name: lokistack-gateway-bearer-token pipelines: - name: infro-to-loki inputRefs: - infrastructure outputRefs: - loki-infra - name: app-to-loki inputRefs: - application outputRefs: - loki-app - name: audit-to-loki inputRefs: - audit outputRefs: - loki-audit EOF
4) Query Infra and audit logs using kubeadmin,testuser-1
Actual result:
kubeadmin can not view journald logs and audit logs.
The common user testuser1 can get journald and audit logs before it own any project.
Expected result:
The kubadmin can see infra and audit logs
The common user can not see infra and audit logs
Attachments
Issue Links
- clones
-
-
- Closed
-
