Why don't delegate to project admins the management of the Logging collectors in RHOCP 4

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Logging (RHOL)
    • 5.8
    • 5.9
    • 6

Issue

  • Why should it not be delegated to the project admins to deploy and configure collectors?
  • How to delegate to the project admins the deployment and configuration of the log collectors
  • As per company security policies, it's not allowed to grant clusterRole to any user, and it's required to provide to the serviceAccount that the logging collectors use to read the logs
  • As OpenShift admin, it's desired to delegate in the project admins the management of the log collection for their own namespaces

Resolution

It's not recommended to delegate to a not OpenShift Admin the log collection.

Some options for the OpenShift Admin doesn't need to configure in daily basics the different sources and destinations in the Red Hat Logging stack are:

1. CI/CD

Implementing a CI/CD where the developers introduce their configuration for the logs and the CI/CD pipeline validates this configuration and generates the configuration for the "clusterLogForwarder".

2. Forward the logs to an intermediate endpoint

Deploying an intermediate endpoint where the collectors log forward the logs.

In this intermediate endpoint, the developers can configure the needed filters and destinations.

This intermediate endpoint has not the risk of the collector reading the logs from the nodes as it doesn't require "hostPath".

Root Cause

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

Any logging collection solution needs permissions to use hostPath to be able to read the logs:

  • logs produced by pods and written by CRIO to the host path /var/log/pods
  • audit logs written by the OS or some kubernetes components as the KubeAPI
  • journald logs

The hostPath as the name says mounts in the pod a filesystem from the OS and this involves several risks as explained in the Kubernetes upstream Content from kubernetes.io is not included.documentation.

The risks explained by the Kubernetes documentation are the same reason for not being recommended to delegate in an user not being the OpenShift Admin the log collection.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.