Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4540

Loki - Object Storage AWS & Azure Identity Federation Support

XMLWordPrintable

    • Loki - Object Storage AWS & Azure Identity Federation Support
    • False
    • None
    • False
    • Green
    • NEW
    • Done
    • OBSDA-527 - Enable Grafana support for cloud providers in Loki
    • OBSDA-527Enable Grafana support for cloud providers in Loki
    • VERIFIED
    • 0% To Do, 0% In Progress, 100% Done
    • This update adds Loki upstream and downstream support for both AWS and Azure identity federation mechanisms, for authenticated and authorized access of the corresponding object storage services
    • Feature
    • L

      Goals

      1. Add Loki upstream and downstream support for AWS identity federation mechanism for authenticated and authorized access of the corresponding object storage services.
      2. Add Loki upstream and downstream support for Azure identity federation mechanism for authenticated and authorized access of the corresponding object storage services.

      Non-Goals

      1. TBD

      Motivation

      As per all cloud providers offering identity federation getting traction in all major managed and unmanaged Kubernetes distributions the Log Storage components require support to align with this IAM pattern. Identity federation across all provides (AWS, Azure) allows a more secure and centralized access to any service to service communication from workloads and infrastructure components running on Kubernetes/OpenShift cluster. It enables a faster turnaround time on stopping unqualified access to any service in case of breaches into services of entire clusters. Specifically for log storage based on Loki it gives a more secure access to logs stored on object storage buckets w/o the need to touch the service, it's configuration and any environment. Usually service operations continue seamless by access the credentials provided to the running containers by the host. In case of credentials revocation that will cascade through the cloud provider IAM services to the hosts and in turn to the containers automatically.

      Alternatives

      None.

      Acceptance Criteria

      1. The LokiStack administrator can define a valid object storage secret that enables using AWS Secure Token Service granting access to S3.
      2. The LokiStack administrator can define a valid object storage secret that enables using Azure Workload Identity Federation granting access to Azure Blob Storage.

      Risk and Assumptions

      None.

      Documentation Considerations

      Requires completion of OBSDOCS-219 and expanding it to explain how to use the extra setting the object storage secret configuration for each cloud providers' identity federation. Beyond that it requires a concise authn/authz setting per provider that configures the granted rights to access S3/Blob Storage on each provider (See https://grafana.com/docs/loki/v2.9.x/storage/#aws-deployment-s3-single-store)

      Open Questions

      Additional Notes

              ptsiraki@redhat.com Periklis Tsirakidis
              ptsiraki@redhat.com Periklis Tsirakidis
              Kabir Bharti Kabir Bharti
              Votes:
              3 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: