Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6156

Loki - CCO-Integration GCP Identity Federation Support

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • Log Storage
    • None
    • Loki - CCO-Integration GCP Identity Federation Support
    • False
    • None
    • False
    • Green
    • NEW
    • Done
    • OBSDA-527 - Enable Grafana support for cloud providers in Loki
    • OBSDA-527Enable Grafana support for cloud providers in Loki
    • 0% To Do, 100% In Progress, 0% Done
    • This update adds Loki CCO-managed support for GCP workload identity federation mechanism, for authenticated and authorized access of the corresponding object storage services
    • If Release Note Needed, Set a Value
    • S

      Goals

      1. Add Loki upstream and downstream support for GCP workload identity federation mechanism for authenticated and authorized access of the corresponding object storage services.

      Non-Goals

      1. TBD

      Motivation

      As per all cloud providers offering identity federation getting traction in all major managed and unmanaged Kubernetes distributions the Log Storage components require support to align with this IAM pattern. Workload Identity Federation (WIF) for GCP allows a more secure and centralized access to any service to service communication from workloads and infrastructure components running on Kubernetes/OpenShift cluster. It enables a faster turnaround time on stopping unqualified access to any service in case of breaches into services of entire clusters. Specifically for log storage based on Loki it gives a more secure access to logs stored on object storage buckets w/o the need to touch the service, it's configuration and any environment. Usually service operations continue seamless by access the credentials provided to the running containers by the host. In case of credentials revocation that will cascade through the cloud provider IAM services to the hosts and in turn to the containers automatically.

      Alternatives

      None.

      Acceptance Criteria

      1. The LokiStack administrator can define a valid object storage secret that enables using Google Workload Identity Federation grating access to GCS.

      Risk and Assumptions

      None.

      Documentation Considerations

      Requires completion of OBSDOCS-219 and expanding it to explain how to use the extra setting the object storage secret configuration for each cloud providers' identity federation. Beyond that it requires a concise authn/authz setting per provider that configures the granted rights to access GCS/S3/Blob Storage on each provider (See https://grafana.com/docs/loki/v2.9.x/storage/#aws-deployment-s3-single-store)

      Open Questions

      Additional Notes

              rojacob@redhat.com Robert Jacob
              ptsiraki@redhat.com Periklis Tsirakidis
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: