-
Bug
-
Resolution: Done
-
Normal
-
Logging 6.3.0
-
Quality / Stability / Reliability
-
2
-
False
-
-
False
-
NEW
-
VERIFIED
-
Before this bug when the LokiStack tenant was openshift-network the loki-gateway was not applying the OR expression that it was before. This bugfix corrects that behaviour to once again inject that expression in queries
-
Bug Fix
-
-
-
Logging - Sprint 274, Logging - Sprint 275, Logging - Sprint 276
-
Important
Description of problem:
When user is non-admin accessing the logs, Loki 6.3.0 doesn't respect all the labels passed. It returns the logs even when one of the label matches the logs.
This doesn't seem to happen when user is kubeadmin
Version-Release number of selected component (if applicable):
6.3.0
How reproducible:
Consistently
Steps to Reproduce:
- Create namespaces as non-admin user.
- Fetch logs from loki using logcli with query where some labels are not expected match and some labels are expected.
- For instance in below example it returned results for label matching 'SrcK8S_Type="Service"' in query '{app="netobserv-flowcollector", SrcK8S_Namespace="test-server-63839", DstK8S_Namespace="test-client-63839", FlowDirection="0", SrcK8S_OwnerName="nginx-service"}'
$ oc whoami testuser-0 $ oc projects You have access to the following projects and can switch between them with ' project <projectname>': testuser-0-x760gl9w-client testuser-0-x760gl9w-server $ logcli -o raw --tls-skip-verify --bearer-token="$(oc whoami -t)" --org-id=openshift-network --addr=https://lokistack-netobserv.apps.memodi-07240950.qe.devcluster.openshift.com/api/logs/v1/network query '{app="netobserv-flowcollector", SrcK8S_Namespace="test-server-63839", DstK8S_Namespace="test-client-63839", FlowDirection="0", SrcK8S_OwnerName="nginx-service"}' --limit 2 | jq 2025/07/24 16:39:02 https://lokistack-netobserv.apps.memodi-07240950.qe.devcluster.openshift.com/api/logs/v1/network/loki/api/v1/query_range?direction=BACKWARD&end=1753389542280722000&limit=2&query=%7Bapp%3D%22netobserv-flowcollector%22%2C+SrcK8S_Namespace%3D%22test-server-63839%22%2C+DstK8S_Namespace%3D%22test-client-63839%22%2C+FlowDirection%3D%220%22%2C+SrcK8S_OwnerName%3D%22nginx-service%22%7D&start=1753385942280722000 2025/07/24 16:39:02 Common labels: {DstK8S_Namespace="testuser-0-x760gl9w-client", DstK8S_OwnerName="client", DstK8S_Type="Pod", FlowDirection="0", K8S_FlowLayer="app", SrcK8S_Namespace="testuser-0-x760gl9w-server", SrcK8S_OwnerName="nginx-service", SrcK8S_Type="Service", app="netobserv-flowcollector"} { "DstK8S_OwnerType": "Pod", "DstMac": "0a:58:0a:81:02:1d", "Packets": 8, "TimeFlowEndMs": 1753389534319, "Sampling": 1, "Bytes": 103180, "Etype": 2048, "DstK8S_HostIP": "10.0.48.212", "AgentIP": "10.0.48.212", "DstAddr": "10.129.2.29", "SrcPort": 8080, "SrcK8S_NetworkName": "primary", "DstPort": 40860, "SrcMac": "0a:58:0a:81:02:1c", "Interfaces": [ "bed2a652f9af16a" ], "Udns": [ "" ], "Proto": 6, "DstK8S_Name": "client", "DstSubnetLabel": "Pods", "IfDirections": [ 1 ], "SrcK8S_Name": "nginx-service", "DstK8S_NetworkName": "primary", "Flags": [ "ACK", "SYN_ACK", "FIN_ACK" ], "SrcAddr": "172.30.67.241", "SrcK8S_OwnerType": "Service", "SrcSubnetLabel": "Services", "Dscp": 0, "TimeFlowStartMs": 1753389534318, "TimeReceived": 1753389539, "DstK8S_HostName": "ip-10-0-48-212.us-east-2.compute.internal" } { "Etype": 2048, "DstMac": "0a:58:0a:81:02:1d", "Bytes": 103180, "TimeReceived": 1753389534, "Proto": 6, "SrcK8S_OwnerType": "Service", "Udns": [ "" ], "Sampling": 1, "Flags": [ "ACK", "SYN_ACK", "FIN_ACK" ], "SrcAddr": "172.30.67.241", "DstAddr": "10.129.2.29", "DstPort": 40856, "TimeFlowEndMs": 1753389529313, "DstK8S_HostName": "ip-10-0-48-212.us-east-2.compute.internal", "SrcMac": "0a:58:0a:81:02:1c", "SrcK8S_Name": "nginx-service", "DstK8S_OwnerType": "Pod", "Interfaces": [ "bed2a652f9af16a" ], "SrcK8S_NetworkName": "primary", "DstSubnetLabel": "Pods", "Packets": 8, "DstK8S_Name": "client", "DstK8S_HostIP": "10.0.48.212", "AgentIP": "10.0.48.212", "Dscp": 0, "DstK8S_NetworkName": "primary", "SrcSubnetLabel": "Services", "SrcPort": 8080, "TimeFlowStartMs": 1753389529313, "IfDirections": [ 1 ] }
Actual results:
Logs are returned even when some labels do not match.
Expected results:
No logs should be returned since some labels in same query does not match
Additional info:
https://redhat-internal.slack.com/archives/C02939DP5L5/p1753311945534509
- is cloned by
-
LOG-7449 [release-6.2] Loki doesn't respect query labels when non-admin access logs
-
- Closed
-
- links to