Bug 1636252

Summary: [RFE] Limiting admin/cluster-admin access to certain namespace logs, allow developers
Product: OpenShift Container Platform Reporter: Marc Nozell <mnozell>
Component: RFEAssignee: Paul Weil <pweil>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, erich, jokerman, mmccomas, mnozell, rmeggins
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-18 16:58:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1664187    

Description Marc Nozell 2018-10-04 20:42:13 UTC 
3. What is the nature and description of the request?

Enhancement of RBAC to limit access to namespace logs.  This allows removing admin/cluster-admin access to specific namespaces while allowing access to others. Also, other specified accounts could be given access.

4. Why does the customer need this? (List the business requirements here)

There are sensitive projects logs that the operations team should not have access to, but specified developers require to have access

5. How would the customer like to achieve this? (List the functional requirements here)

Have log access to have RBAC control

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Remove access to logs for admin/cluster-admin
Add access to logs for DeveloperA
DeveloperA creates project, deploys pods, etc
DeveloperA can use ‘oc logs $pod’ and see logs
Operator can not see pod logs using same commands

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

Similar to BZ 1490391 (Elasticsearch should use OCP roles to filter access to logs)

10. List any affected packages or components.

Unknown

11. Would the customer be able to assist in testing this functionality if implemented?

Yes
Comment 1 Jeff Cantrill 2018-10-04 20:45:30 UTC 
If I understand this correctly, you essentially want cluster admins to ONLY see infra logs and project owners to ONLY see project logs.  Is that correct?  Is this possible now by granting the appropriate policy to a user?  Can you restrict cluster-admin from seeing pod logs?
Comment 3 Marc Nozell 2018-10-04 20:50:49 UTC 
Jeff --

Just for certain projects that are considered sensitive, only specific developers would have access to the logs for that project.  

Operators would not have access to just those sensitive projects.  

Other projects would behave like they do today.

This RFE is similar but a little different from BZ 1490391
Comment 4 Jeff Cantrill 2018-10-04 21:08:30 UTC 
You did not answer my questions:

(In reply to Jeff Cantrill from comment #1)
> If I understand this correctly, you essentially want cluster admins to ONLY
> see infra logs and project owners to ONLY see project logs.  Is that
> correct?  

> Is this possible now by granting the appropriate policy to a user? Can you restrict cluster-admin from seeing pod logs?
Comment 5 Jeff Cantrill 2018-10-19 20:55:54 UTC 
Captured in https://jira.coreos.com/browse/LOG-196 so it can be scheduled and prioritized
Comment 7 Red Hat Bugzilla 2023-09-15 00:12:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days