Description of problem: I thought initially I should have the "cluster-admin" or "cluster-reader" if I want to access to elasticsearch after reading [0] reference. But it's not true. If you have any roles which have 'get' verbs of 'pods/log' resource, you can access directly to elasticsearch without any restrictions. I don't know what differences have between "view" and "cluster-reader" roles when access to elasticsearch. [0] Allowing cluster-reader to view operations logs [https://docs.openshift.com/container-platform/3.7/install_config/aggregate_logging.html#aggregated-elasticsearch] Version-Release number of selected component (if applicable): * OCP oc v3.7.23 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://lb0h.ocp37.host.local:8443 openshift v3.7.23 kubernetes v1.7.6+a08f5eeb62 * Aggregated Logging Kibana: 4.6.4 Elasticsearch: 2.4.4 How reproducible: * Create the serviceaccount and add "view" role or any role including following rules. ~~~ apiVersion: v1 kind: ClusterRole metadata: annotations: openshift.io/description: Access to elasticsearch openshift.io/reconcile-protect: "false" creationTimestamp: null name: getlogs rules: - apiGroups: - "" attributeRestrictions: null resources: - pods/log verbs: - get ~~~ e.g.> # oc create sa testsa # oc adm policy add-cluster-role-to-user view -z testsa * And you can test with curl command as follows. # curl -sk -H "Authorization: Bearer $(oc sa get-token testsa)" -H "X-Forwarded-For: 127.0.0.1" 'https://elasticsearch-route.app.example.com/_search?q=*&pretty' Steps to Reproduce: 1. 2. 3. Actual results: You can search any logs if you have roles that have 'get' verbs of 'pods/log' resource rules. Expected results: We cannot access to elasticsearch without cluster-admin or cluster-reader roles. Additional info: We need more specific information of roles based on openshift for controlling access of elasticsearch from external sources.
Sounds like you are describing logging is functioning as designed. User's with a 'cluster-reader' role or who can see the infra namespaces (e.g. default, logging) are able to see logs from the entire cluster. User's who can 'get pod logs' are able to see only the logs in their namespaces.