-
Bug
-
Resolution: Done
-
Major
-
Logging 5.9.0
-
False
-
None
-
False
-
NEW
-
OBSDA-525 - Enable OpenTelemetry in Loki
-
VERIFIED
-
Release Note Not Required
-
-
-
Log Storage - Sprint 247, Log Storage - Sprint 248, Log Storage - Sprint 249, Log Storage - Sprint 250
Description:
When LokiStack is configured to block queries with regex pattern, user can still query with queries matching the regex pattern.
spec: limits: tenants: application: queries: blocked: - pattern: '.*my-app.*' regex: true queryTimeout: 3m .....
$ logcli -o raw --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr="https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application" query '{kubernetes_namespace_name="my-app"}' | tail -1 2024/01/03 14:45:38 https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1704273338385011000&limit=30&query=%7Bkubernetes_namespace_name%3D%22my-app%22%7D&start=1704269738385011000 2024/01/03 14:45:40 Common labels: {kubernetes_container_name="centos-logtest", kubernetes_host="ip-10-0-4-212.us-east-2.compute.internal", kubernetes_namespace_name="my-app", kubernetes_pod_name="centos-logtest-mbs7b", log_type="application"} {"@timestamp":"2024-01-03T09:15:08.804487774Z","file":"/var/log/pods/my-app_centos-logtest-mbs7b_0d7d2952-3c0a-49e1-af99-7dd804751b85/centos-logtest/0.log","hostname":"ip-10-0-4-212.us-east-2.compute.internal","kubernetes":{"annotations":{"k8s.v1.cni.cncf.io/network-status":"[{\n \"name\": \"openshift-sdn\",\n \"interface\": \"eth0\",\n \"ips\": [\n \"10.128.2.21\"\n ],\n \"default\": true,\n \"dns\": {}\n}]","openshift.io/scc":"restricted-v2","seccomp.security.alpha.kubernetes.io/pod":"runtime/default"},"container_id":"cri-o://05700f622d8f63bf5ef6ef9c44463c74e208f9225af9ac9d40c3537ac74c4bb6","container_image":"quay.io/openshifttest/ocp-logtest@sha256:6e2973d7d454ce412ad90e99ce584bf221866953da42858c4629873e53778606","container_image_id":"quay.io/openshifttest/ocp-logtest@sha256:6e2973d7d454ce412ad90e99ce584bf221866953da42858c4629873e53778606","container_name":"centos-logtest","labels":{"run-d":"centos-logtest-dev-d","test-d":"centos-logtest-dev-d"},"namespace_id":"4fa17cbb-2009-4a24-9ea4-631ff67506e2","namespace_labels":{"kubernetes_io_metadata_name":"my-app","pod-security_kubernetes_io_audit":"restricted","pod-security_kubernetes_io_audit-version":"v1.24","pod-security_kubernetes_io_warn":"restricted","pod-security_kubernetes_io_warn-version":"v1.24"},"namespace_name":"my-app","pod_id":"0d7d2952-3c0a-49e1-af99-7dd804751b85","pod_ip":"10.128.2.21","pod_name":"centos-logtest-mbs7b","pod_owner":"ReplicationController/centos-logtest"},"level":"default","log_type":"application","message":"{\"message\": \"MERGE_JSON_LOG=true\", \"level\": \"debug\",\"Layer1\": \"layer1 0\", \"layer2\": {\"name\":\"Layer2 1\", \"tips\":\"Decide by PRESERVE_JSON_LOG\"} , \"StringNumber\":\"10\", \"Number\": 10,\"foo.bar\":\"Dot Item\",\"{foobar}\":\"Brace Item\",\"[foobar]\":\"Bracket Item\", \"foo:bar\":\"Colon Item\",\"foo bar\":\"Space Item\" }","openshift":{"cluster_id":"9160f4db-f7c2-4970-b148-97226fddad15","sequence":6845}}
runtime-config.yaml
---
overrides:
application:
query_timeout: 3m
blocked_queries:
- pattern: |
.*my-app.*
regex: true
How reproducible: Always
Steps to reproduce:
1) Deploy CLO and LO v5.9
2) Provision lokistack with required regex pattern
3) Forward logs to Loki
4) Query for logs on namespace which should be blocked by regex
Expected result:
Query matching regex should be blocked
Actual result:
User can query data successfully
Additional Info:
When LokiStack is setup as below, User query get denied as per policy
spec:
limits:
tenants:
application:
queries:
blocked:
- pattern: '{kubernetes_namespace_name="my-app-1"}'
queryTimeout: 3m
managementState: Managed
.....
$ logcli -o raw --tls-skip-verify --bearer-token="$(oc whoami -t)" --addr="https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application" query '{kubernetes_namespace_name="my-app-1"}' | tail -1 2024/01/03 14:50:29 https://lokistack-dev-openshift-logging.apps.kbharti-0103a.qe.devcluster.openshift.com/api/logs/v1/application/loki/api/v1/query_range?direction=BACKWARD&end=1704273629493221000&limit=30&query=%7Bkubernetes_namespace_name%3D%22my-app-1%22%7D&start=1704270029493221000 2024/01/03 14:50:30 Error response from server: query blocked by policy (<nil>) attempts remaining: 0 2024/01/03 14:50:30 Query failed: run out of attempts while querying the server
runtime-config.yaml
---
overrides:
application:
query_timeout: 3m
blocked_queries:
- pattern: |
{kubernetes_namespace_name="my-app-1"}