-
Feature
-
Resolution: Done
-
Normal
-
Logging 5.6
-
None
-
False
-
None
-
False
-
Not Selected
Proposed title of this feature request
Restrict Loki labels
What is the nature and description of the request?
Even when from the OCP Console is not possible to list the labels stored in Loki, when it's deployed in OpenShift a Grafana and integrated to read the logs from Loki, they are visible by default (from other namespaces and also for infrastructure/audit logs).
Then, it's requested to restrict Loki access to the labels where the user has not access at the cluster level.
An example of this:
The user has only visibility of project test, but has access to the labels of more projects:
$ curl -k -G -H "Authorization: Bearer <retracted>" https://localhost:8080/api/logs/v1/application/loki/api/v1/label/kubernetes_namespace_name/values|jq { "status": "success", "data": [ "costmanagement-metrics-operator", "knative-eventing", "knative-serving", "knative-serving-ingress", "test", ... ] }
The user should have only visibility of:
$ curl -k -G -H "Authorization: Bearer <retracted>" https://localhost:8080/api/logs/v1/application/loki/api/v1/label/kubernetes_namespace_name/values|jq { "status": "success", "data": [ "test" ] }
Why does the customer need this? (List the business requirements)
When it's integrated Loki with Grafana for visibility of the logs, all labels contained in Loki are visible when an user should be able only to see the labels where has rights to access in the OpenShift level.
This impacts to the security by default. Currently, the users could see labels that are not allowed to see by default at the OCP level.
List any affected packages or components.
Loki