-
Task
-
Resolution: Obsolete
-
Normal
-
None
-
None
-
None
-
5
-
Undefined
As a LokiStack admin operating Loki-Operator on OCP, I want the lokistack-gateway's OPA agent to delegate authorization requests to OCP's apiserver to allow developers to access only namespaces they are authorized to.
Acceptance criteria:
- The opa-openshift sidecar delegates authorization requests via SubjectAccessReviews to OCP apiserver.
- The opa-openshift sidecar returns a list of permitted namespaces to the lokistack-gateway authorizer for the Developer persona.
- The opa-openshift sidecar permits access to all namespaces to the lokistack-gateway for the Admin persona.
- The lokistack-gateway passes a list of namespaces as extra label filter for the Developer persona to Loki's query frontend.
Dev notes:
- will need to implement this, based on https://github.com/observatorium/opa-ams
- single http handler that will run as a container in the lokistack-gateway pod
- will need to be connected to CPaaS (will be a separate card)
- Repo should be created under ViaQ org
Docs impact:
- Need to capture requirements to be considered Admin user for loki
- cc rdlugyhe
- documents
-
LOG-1513 [lokistack-gateway] Provide an opa-openshift sidecar
- Closed