-
Epic
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Loki - CCO-Integration GCP Identity Federation Support
-
False
-
None
-
False
-
Green
-
NEW
-
Done
-
OBSDA-527 - Enable Grafana support for cloud providers in Loki
-
OBSDA-527Enable Grafana support for cloud providers in Loki
-
0% To Do, 33% In Progress, 67% Done
-
This update adds Loki CCO-managed support for GCP workload identity federation mechanism, for authenticated and authorized access of the corresponding object storage services
-
If Release Note Needed, Set a Value
-
S
Goals
- Add Loki upstream and downstream support for GCP workload identity federation mechanism for authenticated and authorized access of the corresponding object storage services.
Non-Goals
- TBD
Motivation
As per all cloud providers offering identity federation getting traction in all major managed and unmanaged Kubernetes distributions the Log Storage components require support to align with this IAM pattern. Workload Identity Federation (WIF) for GCP allows a more secure and centralized access to any service to service communication from workloads and infrastructure components running on Kubernetes/OpenShift cluster. It enables a faster turnaround time on stopping unqualified access to any service in case of breaches into services of entire clusters. Specifically for log storage based on Loki it gives a more secure access to logs stored on object storage buckets w/o the need to touch the service, it's configuration and any environment. Usually service operations continue seamless by access the credentials provided to the running containers by the host. In case of credentials revocation that will cascade through the cloud provider IAM services to the hosts and in turn to the containers automatically.
Alternatives
None.
Acceptance Criteria
- The LokiStack administrator can define a valid object storage secret that enables using Google Workload Identity Federation grating access to GCS.
Risk and Assumptions
None.
Documentation Considerations
Requires completion of OBSDOCS-219 and expanding it to explain how to use the extra setting the object storage secret configuration for each cloud providers' identity federation. Beyond that it requires a concise authn/authz setting per provider that configures the granted rights to access GCS/S3/Blob Storage on each provider (See https://grafana.com/docs/loki/v2.9.x/storage/#aws-deployment-s3-single-store)
Open Questions
Additional Notes
- For GCP WIF consider the following two section in the CCO's docs: overview and credentials-secret-details
- Upstream Enhancement proposal: https://github.com/grafana/loki/pull/11060
- OpenShift Enhancement proposal: https://github.com/openshift/enhancements/pull/1503