3. What is the nature and description of the request? Enhancement of RBAC to limit access to namespace logs. This allows removing admin/cluster-admin access to specific namespaces while allowing access to others. Also, other specified accounts could be given access. 4. Why does the customer need this? (List the business requirements here) There are sensitive projects logs that the operations team should not have access to, but specified developers require to have access 5. How would the customer like to achieve this? (List the functional requirements here) Have log access to have RBAC control 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Remove access to logs for admin/cluster-admin Add access to logs for DeveloperA DeveloperA creates project, deploys pods, etc DeveloperA can use ‘oc logs $pod’ and see logs Operator can not see pod logs using same commands 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? Similar to BZ 1490391 (Elasticsearch should use OCP roles to filter access to logs) 10. List any affected packages or components. Unknown 11. Would the customer be able to assist in testing this functionality if implemented? Yes
If I understand this correctly, you essentially want cluster admins to ONLY see infra logs and project owners to ONLY see project logs. Is that correct? Is this possible now by granting the appropriate policy to a user? Can you restrict cluster-admin from seeing pod logs?
Jeff -- Just for certain projects that are considered sensitive, only specific developers would have access to the logs for that project. Operators would not have access to just those sensitive projects. Other projects would behave like they do today. This RFE is similar but a little different from BZ 1490391
You did not answer my questions: (In reply to Jeff Cantrill from comment #1) > If I understand this correctly, you essentially want cluster admins to ONLY > see infra logs and project owners to ONLY see project logs. Is that > correct? > Is this possible now by granting the appropriate policy to a user? Can you restrict cluster-admin from seeing pod logs?
Captured in https://jira.coreos.com/browse/LOG-196 so it can be scheduled and prioritized
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days