1. Proposed title of this feature request
Better control over access to logs in LokiStack for enterprise environments
2. What is the nature and description of the request?
Currently, access to logs in LokiStack is granted when a user access has to the given namespace or when the user is part of a specific cluster-admin Group.
Still there are different use-cases that are not covered with this scenario but should be evaluated as otherwise RBAC permissions from OpenShift Container Platform 4 are not properly reflected in LokiStack.
Use Case number one, is where a user has access to specific namespace to see the objects included but is denied to view logs from pods (for legal reason mostly).
Use Case number two, is where a number of people have elevated permissions and therefore are able to access pretty much all namespaces on the OpenShift Container Platform 4 - Cluster. Usually those people are responsible to enable and support application when onboarding to OpenShift Container Platform 4 and therefore have again permissions to see most of the objects in the given namespaces. But again due to legal and data protection constrains, those users can not have access to logs and therefore LokiStack should prevent them from seeing applicaiton specific logs.
Important, the users having access to all namespaces in the OpenShift Container Platform 4 - Clusters may still be namespace admin for specific namespaces (as they may be responsible for some application) and for the same, they should be able to see the logs in LokiStack.
3. Why does the customer need this? (List the business requirements here)
In enterprise environments, where OpenShift Container Platform 4 is used across different legal entities, it's common to have central teams that support the application teams in the respective entities. But given that some application may log sensitive data, those centralized support teams are not granted access to logs but they can only view specific objecs, such as pods in the namespace.
Even though OpenShift Container Platform 4 does allow to configure RBAC to address these use-cases, LokiStack does not and therefore grants access to logs for people that should not see them.
Also important, users can have elevanted permissions to accesss all namespaces in a OpenShift Container Platform 4 - Cluster and not see logs but also have their own application running where they are full application admin and thus require access to logs, also through LokiStack.
4. List any affected packages or components.