Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: Logging 6.5.0
Affects Version/s: Logging 6.0.3
Component/s: Log Storage
Labels:
- no-errata
- no-rn

Activity Type:
Product / Portfolio Work
Story Points:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Type:
Release Note Not Required
Git Pull Request:
https://github.com/observatorium/api/pull/813, https://github.com/observatorium/opa-openshift/pull/33
Intelligence Requested:
Market:

Original story points:
5
Sprint:
Log Storage - Sprint 269, Log Storage - Sprint 270, Log Storage - Sprint 271, Log Storage - Sprint 272, Log Storage - Sprint 273, Logging - Sprint 274, Logging - Sprint 275, Logging - Sprint 276, Logging - Sprint 277, Logging - Sprint 278, Logging - Sprint 279, Logging - Sprint 281

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Context

The loki-gateway which depends on observatorium/api & observatorium/opa-openshift issues TokenReviews to get user info from kube-api (observatorium/api) and preforms SubjectAccessReview to know if a user can access a given resource, namely namespaces (observatorium/opa-openshift). However to issue both these requests to kube-api the loki-gateway SA needs RBAC. In this issue our goal is to replace TokenReview with SelfSubjectReview and SubjectAccessReview with SelfSubjectAccessReview

Acceptance criteria

In observatorium/api replace TokenReview with SelfSubjectReview
In observatorium/opa-openshift replace SubjectAccessReview with SelfSubjectAccessReview
In loki-operator enable both feature flags in both api & opa-openshift

Assignee:: Joao Marcal

Reporter:: Joao Marcal

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/04/02 9:43 AM

Updated:: 2025/11/17 1:58 PM

Details

Description

Context

Acceptance criteria

Attachments

Easy Agile Planning Poker

Activity

People

Dates