From 87d27295ef24e0038a7351f33e32f9a84890d928 Mon Sep 17 00:00:00 2001 From: Ashwin Mehendale Date: Fri, 17 Oct 2025 12:21:07 +0530 Subject: [PATCH] OBSDOCS-1806: Tailored Network Policies for Loki Operator --- configuring/configuring-the-log-store.adoc | 13 +++++ ...configuring-a-network-policy-for-loki.adoc | 56 +++++++++++++++++++ ...-network-policy-with-external-systems.adoc | 52 +++++++++++++++++ modules/loki-network-policies.adoc | 15 +++++ modules/loki-networkpolicy-resources.adoc | 53 ++++++++++++++++++ 5 files changed, 189 insertions(+) create mode 100644 modules/configuring-a-network-policy-for-loki.adoc create mode 100644 modules/integrating-loki-network-policy-with-external-systems.adoc create mode 100644 modules/loki-network-policies.adoc create mode 100644 modules/loki-networkpolicy-resources.adoc diff --git a/configuring/configuring-the-log-store.adoc b/configuring/configuring-the-log-store.adoc index c7c393836c07..cf77750badcd 100644 --- a/configuring/configuring-the-log-store.adoc +++ b/configuring/configuring-the-log-store.adoc @@ -66,6 +66,19 @@ include::modules/loki-zone-aware-replication.adoc[leveloffset=+2] include::modules/loki-zone-fail-recovery.adoc[leveloffset=+2] include::modules/loki-rate-limit-errors.adoc[leveloffset=+2] +[id="loki-network-policies-for-added-security_{context}"] +== Loki network policies for added security + +{loki-op} can deploy and manage a set of network policies that restrict the communications to and from the Loki components to enhance security. + +include::modules/loki-network-policies.adoc[leveloffset=+2] + +include::modules/configuring-a-network-policy-for-loki.adoc[leveloffset=+2] + +include::modules/loki-networkpolicy-resources.adoc[leveloffset=+2] + +include::modules/integrating-loki-network-policy-with-external-systems.adoc[leveloffset=+2] + //log based alerts [id="log-based-alerts_{context}"] == Log-based alerts for Loki diff --git a/modules/configuring-a-network-policy-for-loki.adoc b/modules/configuring-a-network-policy-for-loki.adoc new file mode 100644 index 000000000000..57b7b055e160 --- /dev/null +++ b/modules/configuring-a-network-policy-for-loki.adoc @@ -0,0 +1,56 @@ +:_newdoc-version: 2.18.4 +:_template-generated: 2025-10-17 +:_mod-docs-content-type: PROCEDURE + +[id="configuring-a-network-policy-for-loki_{context}"] += Configuring a network policy for Loki + +Enable or disable the deployment of `NetworkPolicies` per LokiStack by setting the `networkPolicies` field. + +.Prerequisites +* You have administrator permissions. +* You have installed the {oc-first}. +* You have installed the {loki-op}. +* You have created a `LokiStack` custom resource (CR). + +.Procedure +. Update the `LokiStack` CR: ++ +[source,yaml] +---- +apiVersion: loki.grafana.com/v1 +kind: LokiStack +metadata: + name: logging-loki + namespace: openshift-logging +spec: + size: 1x.small + storage: + schemas: + - version: v13 + effectiveDate: "--
" + secret: + name: logging-loki-s3 + type: s3 + storageClassName: + tenants: + mode: openshift-logging + networkPolicies: + ruleSet: RestrictIngressEgress +---- ++ +You can set one of the following values for the `spec.networkPolicies.ruleSet` field: ++ +`None`:: +{loki-op} will not deploy any network policy. +`RestrictIngressEgress`:: +{loki-op} will deploy a set of network policies that restrict the communications to and from the Loki components. ++ +If you do not define a `spec.networkPolicies.ruleSet` value, the platform and operator default values are inherited and full network access is allowed. + +. Apply the `LokiStack` CR object by running the following command: ++ +[source,terminal] +---- +$ oc apply -f .yaml +---- diff --git a/modules/integrating-loki-network-policy-with-external-systems.adoc b/modules/integrating-loki-network-policy-with-external-systems.adoc new file mode 100644 index 000000000000..a1b0552c50bf --- /dev/null +++ b/modules/integrating-loki-network-policy-with-external-systems.adoc @@ -0,0 +1,52 @@ +:_newdoc-version: 2.18.4 +:_template-generated: 2025-10-17 +:_mod-docs-content-type: PROCEDURE + +[id="integrating-loki-network-policy-with-external-systems_{context}"] += Integrating Loki network policy with external systems + +To integrate Loki with external systems such as custom dashboards, or external alerting, create additional network policies. +You can select specific components by using the label `app.kubernetes.io/component`. +Always include the labels `app.kubernetes.io/name=lokistack` and `app.kubernetes.io/instance={name}` to avoid collision with other pods deployed in the namespace. + +.Prerequisites +* You have administrator permissions. +* You have installed the {oc-first}. +* You have installed the {loki-op}. +* You have created a `LokiStack` custom resource (CR). + +.Procedure +. Create a network policy: ++ +[source,yaml] +---- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: lokistack + app.kubernetes.io/instance: + app.kubernetes.io/component: + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: + ports: + - protocol: TCP + port: +---- ++ +Replace with the component you want to integrate with. + +. Apply the network policy: ++ +[source,terminal] +---- +$ oc apply -f .yaml +---- diff --git a/modules/loki-network-policies.adoc b/modules/loki-network-policies.adoc new file mode 100644 index 000000000000..112a903a436f --- /dev/null +++ b/modules/loki-network-policies.adoc @@ -0,0 +1,15 @@ +:_newdoc-version: 2.18.4 +:_template-generated: 2025-10-17 +:_mod-docs-content-type: CONCEPT + +[id="loki-network-policies_{context}"] += Loki network policies + +You can enable the {loki-op} to automatically create a `NetworkPolicy` resource that implements a "default deny" security model with explicit allow rules for required communications. +Network policies provide network segmentation for your LokiStack deployment by controlling ingress and egress traffic between Loki components and external services. +The network policies in {loki-op} are designed to be secure by default while maintaining compatibility across diverse environments. + +Network policies for Loki on {ocp-product-title} include the following additional integrations: + +* Monitoring: Automatic integration with the {ocp-product-title} monitoring stack. +* DNS: Support for both standard and {ocp-product-title} DNS services (port 5353). diff --git a/modules/loki-networkpolicy-resources.adoc b/modules/loki-networkpolicy-resources.adoc new file mode 100644 index 000000000000..9ecc367aaf7a --- /dev/null +++ b/modules/loki-networkpolicy-resources.adoc @@ -0,0 +1,53 @@ +:_newdoc-version: 2.18.4 +:_template-generated: 2025-10-17 +:_mod-docs-content-type: REFERENCE + +[id="loki-networkpolicy-resources_{context}"] += Loki NetworkPolicy resources + +When network policies are enabled, the {loki-op} creates several NetworkPolicy resources to secure different aspects of your `LokiStack` deployment. + +[cols="1,1,1"] +|==== +|Policy name +|Purpose +|Components affected + +|{name}-default-deny +|A baseline deny-all policy +|All LokiStack pods + +|{name}-loki-allow +|Inter-component communication allowed +|All Loki components + +|{name}-loki-allow-metrics +|Allow metric scraping on the prometheus endpoint +|All Loki components + + +|{name}-loki-allow-bucket-egress +|Policy for object storage access +|ingester, querier, index-gateway, compactor, ruler + +|{name}-loki-allow-gateway-ingress +|Allow gateway access to Loki components +|distributor, query-frontend, ruler + +|{name}-gateway-allow +|Gateway external and monitoring access +|LokiStack-gateway + +|{name}-gateway-allow-metrics +|Allow metric scraping on the prometheus endpoint +|LokiStack-gateway + +|{name}-ruler-allow-alert-egress +|Allow ruler egress to AlertManager +|ruler + +|{name}-loki-allow-query-frontend +|Query frontend external access +|query-frontend (OpenShift network mode) + +|====