Merge pull request #112 from appuio/feat/lokistack-cluster-reader-log…

…-access Add support for configuring log access in LokiStack for `cluster-reader`
appuio · Jul 20, 2023 · b29ca18 · b29ca18
2 parents 6b74c95 + 7d6cb64
commit b29ca18
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 22 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -20,6 +20,9 @@ parameters:
     components:
       lokistack:
         enabled: false
+        clusterReaderLogAccess:
+          - application
+          - infrastructure
         logStore:
           access_key_id: ''
           access_key_secret: ''

diff --git a/component/loki.libsonnet b/component/loki.libsonnet
@@ -99,12 +99,30 @@ local netpol_lokigateway = kube.NetworkPolicy('allow-console-logging-lokistack-g
   },
 };
 
+// Aggregate permission to view all logs to `cluster-reader` role
+local aggregate_loki_log_access = kube.ClusterRole('syn:loki:cluster-reader') {
+  metadata+: {
+    labels+: {
+      'rbac.authorization.k8s.io/aggregate-to-cluster-reader': 'true',
+    },
+  },
+  rules: [
+    {
+      apiGroups: [ 'loki.grafana.com' ],
+      resources: com.renderArray(loki.clusterReaderLogAccess),
+      resourceNames: [ 'logs' ],
+      verbs: [ 'get' ],
+    },
+  ],
+};
+
 // Define outputs below
 if loki.enabled then
   {
     '50_loki_stack': lokistack,
     '50_loki_logstore': logstore,
     '50_loki_netpol': [ netpol_viewplugin, netpol_lokigateway ],
+    '50_loki_rbac': [ aggregate_loki_log_access ],
   }
 else
   std.trace(

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -191,36 +191,34 @@ The severity of the fired alert.
 
 == `components.lokistack`
 
+Configuration of the lokistack component.
+See subsections for supported keys.
+
+=== `components.lokistack.enabled`
+
 [horizontal]
-type:: dictionary
+type:: boolean
+default:: `false`
+
+Whether to deploy the LokiStack on the cluster.
+
+
+=== `components.lokistack.clusterReaderLogAccess`
+
+[horizontal]
+type:: list
 default::
 +
 [source,yaml]
 ----
-components:
-  lokistack:
-    enabled: false
-    logStore:
-      access_key_id: ''
-      access_key_secret: ''
-      endpoint: ''
-      bucketnames: '${cluster:name}-logstore'
-    spec:
-      size: 1x.extra-small
-      storage:
-        schemas:
-          - version: v12
-            effectiveDate: '2022-06-01'
-        secret:
-          type: s3
-          name: loki-logstore
-      storageClassName: ''
-      tenants:
-        mode: openshift-logging
+- application
+- infrastructure
 ----
 
-Configuration of the lokistack component.
+A list of log categories (supported values are `application`, `infrastructure` and `audit`) which can be viewed by users which have `cluster-reader` permissions.
+Entries in the list can be removed in the hierarchy by prefixing them with `~`.
 
+NOTE: We don't grant access to audit logs to `cluster-reader` by default since audit logs can contain sensitive information.
 
 === `components.lokistack.logStore`
 

diff --git a/tests/golden/lokistack/openshift4-logging/openshift4-logging/50_loki_rbac.yaml b/tests/golden/lokistack/openshift4-logging/openshift4-logging/50_loki_rbac.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: syn-loki-cluster-reader
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true'
+  name: syn:loki:cluster-reader
+rules:
+  - apiGroups:
+      - loki.grafana.com
+    resourceNames:
+      - logs
+    resources:
+      - application
+      - infrastructure
+    verbs:
+      - get