Goals

• Support denying users to access the workload logs of an entire namespace.
• Support denying users with elevated rights similar to cluster-admins to access the workload logs.
• Support limiting users with elevated across many namespaces to access only logs where they are namespace admin.

Non-Goals

• Custom access policies for the LokiStack authentication and authorization provider on OpenShift.

Motivation

In enterprise environments, where OpenShift Container Platform 4 is used across different legal entities, it's common to have central teams that support the application teams in the respective entities. But given that some application may log sensitive data, those centralized support teams are not granted access to logs but they can only view specific objecs, such as pods in the namespace.

Even though OpenShift Container Platform 4 does allow to configure RBAC to address these use-cases, LokiStack does not and therefore grants access to logs for people that should not see them.

Also important, users can have elevanted permissions to accesss all namespaces in a OpenShift Container Platform 4 - Cluster and not see logs but also have their own application running where they are full application admin and thus require access to logs, also through LokiStack.

Alternatives

Acceptance Criteria

• The LokiStack administrator can deny/approve workload logs access per namespace per user/group.
• The LokiStack administrator can deny access to workload logs even if the user/group can see the multiple namespaces or has cluster-admin-like rights.
• The LokiStack administrator can limit users with many namespaces to access logs of namespaces where they are admin only.

Risk and Assumptions

Documentation Considerations

Open Questions

Additional Notes

• Spike: Namespaced SubjectAccessReviews
• Enhancement Proposal: Fine-grained Access Control