Bug 1636252 - [RFE] Limiting admin/cluster-admin access to certain namespace logs, allow developers
Summary: [RFE] Limiting admin/cluster-admin access to certain namespace logs, allow de...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.0
Assignee: Paul Weil
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks: 1664187
TreeView+ depends on / blocked
 
Reported: 2018-10-04 20:42 UTC by Marc Nozell
Modified: 2023-09-15 00:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-18 16:58:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marc Nozell 2018-10-04 20:42:13 UTC 
3. What is the nature and description of the request?

Enhancement of RBAC to limit access to namespace logs.  This allows removing admin/cluster-admin access to specific namespaces while allowing access to others. Also, other specified accounts could be given access.

4. Why does the customer need this? (List the business requirements here)

There are sensitive projects logs that the operations team should not have access to, but specified developers require to have access

5. How would the customer like to achieve this? (List the functional requirements here)

Have log access to have RBAC control

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Remove access to logs for admin/cluster-admin
Add access to logs for DeveloperA
DeveloperA creates project, deploys pods, etc
DeveloperA can use ‘oc logs $pod’ and see logs
Operator can not see pod logs using same commands

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

Similar to BZ 1490391 (Elasticsearch should use OCP roles to filter access to logs)

10. List any affected packages or components.

Unknown

11. Would the customer be able to assist in testing this functionality if implemented?

Yes
Comment 1 Jeff Cantrill 2018-10-04 20:45:30 UTC 
If I understand this correctly, you essentially want cluster admins to ONLY see infra logs and project owners to ONLY see project logs.  Is that correct?  Is this possible now by granting the appropriate policy to a user?  Can you restrict cluster-admin from seeing pod logs?
Comment 3 Marc Nozell 2018-10-04 20:50:49 UTC 
Jeff --

Just for certain projects that are considered sensitive, only specific developers would have access to the logs for that project.  

Operators would not have access to just those sensitive projects.  

Other projects would behave like they do today.

This RFE is similar but a little different from BZ 1490391
Comment 4 Jeff Cantrill 2018-10-04 21:08:30 UTC 
You did not answer my questions:

(In reply to Jeff Cantrill from comment #1)
> If I understand this correctly, you essentially want cluster admins to ONLY
> see infra logs and project owners to ONLY see project logs.  Is that
> correct?  

> Is this possible now by granting the appropriate policy to a user? Can you restrict cluster-admin from seeing pod logs?
Comment 5 Jeff Cantrill 2018-10-19 20:55:54 UTC 
Captured in https://jira.coreos.com/browse/LOG-196 so it can be scheduled and prioritized
Comment 7 Red Hat Bugzilla 2023-09-15 00:12:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.