Uploaded image for project: 'Observability Documentation'
  1. Observability Documentation
  2. OBSDOCS-785

Not instructions to enable traffic between openshift-console and openshift-logging

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • Logging 5.8, Logging 5.6, Logging 5.7
    • Logging
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

      URL:

      Allowing traffic between projects when network isolation is enabled

      Section

      Logging > Installing Logging > Allowing traffic between projects when network isolation is enabled

      Description

      In the past, as the traffic was only between the `openshift-operators-redhat` and `openshift-logging` namespaces, the instructions given in Allowing traffic between projects when network isolation is enabled were enough.

      With the arrival of Loki where for visualizing the logs is used the OpenShift console, it's needed to give access from the `openshift-console` to the `openshift-logging` namespace. Then, the current section of the documentation should be adapted in a couple of points:

      1. When using OpenShift SDN in multitenant mode

      Where it should be needed to add to the present command:

      $ oc adm pod-network join-projects --to=openshift-operators-redhat openshift-logging

      A second command in case that using the Log visualization with the web console allowing the access from `openshift-console` to `openshift-logging`:

      oc adm pod-network join-projects --to=openshift-console openshift-logging

      2. When using OpenShift SDN in network policy

      Modify the current sentences for being like:

      a. Set a label on the `openshift-operators-redhat` and `openshift-console` namespaces. For example:

      $ oc label namespace openshift-operators-redhat project=openshift-operators-redhat
$ oc label namespace openshift-console project=openshift-console

       

      Modify the sentece:

      b. Create a network policy object in the openshift-logging namespace that allows ingress from the openshift-operators-redhat, openshift-monitoring and openshift-ingress projects to the openshift-logging project. For example:

      For being:

      b. Create a network policy object in the openshift-logging namespace that allows ingress from the openshift-operators-redhat, openshift-monitoring, openshift-console and openshift-ingress projects to the openshift-logging project. For example:

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-monitoring-ingress-operators-redhat
spec:
  ingress:
  - from:
    - podSelector: {}
  - from:
    - namespaceSelector:
        matchLabels:
          project: "openshift-operators-redhat"
  - from:
    - namespaceSelector:
        matchLabels:
          name: "openshift-monitoring"
  - from:
    - namespaceSelector:
        matchLabels:
          project: "openshift-console"
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector: {}
  policyTypes:
  - Ingress

              Unassigned Unassigned
              rhn-support-ocasalsa Oscar Casal Sanchez
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: