Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: Logging 5.8.4
Affects Version/s: Logging 5.8.z
Component/s: Log Storage
Labels:
- bug
- devel_ack+
- logging
- loki
- rbac

Blocked:
False
Blocked Reason:
None
Ready:
False
Docs QE Status:
NEW
QE Status:
VERIFIED
Release Note Text:

Hide
Before this update, the Cluster Logging Operator only deployed ClusterRoles supporting LokiStack deployments, when a LokiStack was selected as a default log output. With this update, the roles are split into two groups (read and write) and the read roles are also deployed, when no LokiStack is used as default log output but the Logging Console is enabled.

Show
Before this update, the Cluster Logging Operator only deployed ClusterRoles supporting LokiStack deployments, when a LokiStack was selected as a default log output. With this update, the roles are split into two groups (read and write) and the read roles are also deployed, when no LokiStack is used as default log output but the Logging Console is enabled.
Release Note Type:
Bug Fix
Git Pull Request:
https://github.com/openshift/cluster-logging-operator/pull/2311

Sprint:
Log Storage - Sprint 246, Log Storage - Sprint 247, Log Storage - Sprint 248
Severity:
Important

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

When following https://docs.openshift.com/container-platform/4.14/logging/log_storage/cluster-logging-loki.html#logging-loki-log-access_cluster-logging-loki to configure fine grained access for Loki logs, it was noticed that ClusterRoles are only created, when LokiStack is configured as log store in clusterlogging/instance

This can also be confirmed, when looking at logstore.go.

With LOG-3856 we enabled users to run elasticsearch and LokiStack in parallel to run the transition in more smooth manner for Enterprise Environment.

Therefore the missing ClusterRole are now breaking that experience as things don't behave as expected and we are missing out the required ClusterRole. Even if no transition is made and only LokiStack is being used, the ClusterRoles are also missing but should eventually be provided to manage access to logs, stored in LokiStack

Version-Release number of selected component (if applicable):

OpenShift Container Platform 4 - Cluster Logging 5.8.1

How reproducible:

Always

Steps to Reproduce:

Setup OpenShift Container Platform 4 - Cluster Logging with LokiStack and elasticsearch both in managed state and thus keep elasticsearch the log store configured in clusterlogging/instance. If needed, review LOG-3856 for more details

Actual results:

The ClusterRole documented in https://docs.openshift.com/container-platform/4.14/logging/log_storage/cluster-logging-loki.html#logging-loki-log-access_cluster-logging-loki are not being created

Expected results:

The ClusterRole documented in https://docs.openshift.com/container-platform/4.14/logging/log_storage/cluster-logging-loki.html#logging-loki-log-access_cluster-logging-loki are being created, when LokiStack is configured/created no matter if it's defined as log store in clusterlogging/instance

Additional info:

It's possible to create the ClusterRole manually but it would be appreciated to have it managed by either ClusterLogging or LokiStack Operator.

Attachments

Issue Links

clones

LOG-4898 Required ClusterRole for fine grained access for Loki logs are only created when LokiStack is configured as default log store

Closed

links to

openshift/cluster-logging-operator#2311: LOG-4987: Deploy LokiStack read roles when console is active

RHBA-2024:1065 Logging for Red Hat OpenShift - 5.8.4

mentioned on

Merge request - Updated US source to: 7a77626 LOG-4987: Deploy LokiStack read roles when console is active

Activity

People

Assignee:: Robert Jacob

Reporter:: Simon Reber

QA Contact:: Kabir Bharti

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2024/01/17 5:38 PM

Updated:: 2024/03/06 12:35 AM

Resolved:: 2024/03/06 12:35 AM