3. What is the nature and description of the request? While viewing logs in Kibana, a user without permissions to view any pod's logs will have access just by having permissions to see a project. This is just by being able to perform the "view" verb on the resource "namespace". However, it is not being taken into consideration the possibility that some users don't have access to "view" the following resources: "pods/log" "builds/log" "deploymentconfigs/log" This is why the way currently Elasticsearch + SearchGuard allows a user to access logs is not sufficient. 4. Why does the customer need this? (List the business requirements here) Given the company's security constrains not everyone administering the cluster has access to the sensitive data like secrets or logs. Those "restricted-admins" have access to the namespaces but must not have access to the logs. 5. How would the customer like to achieve this? (List the functional requirements here) - As a "cluster-admin" I want to be able to restrict who has access to pods logs even though they have access to the namespace. - As a "restricted-admin" I shouldn't be able to see pods logs in Kibana the same way I don't have access to them using OpenShift CLI 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Given the attached cluster roles and a user having assigned the cluster role "cluster-restricted-admin", this user will not be able to see any logs from any pod. However if the user is somehow granted the permissions to see certain pods logs, those pods will be shown in Kibana 10. List any affected packages or components. Aggregated logging framework
Created attachment 1324458 [details] cluster-restricted-admin-role.json
Created attachment 1324459 [details] cluster-restricted-reader-role.json
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant. This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.