From 1003186aee14af223ff09825878b7f9c6f533813 Mon Sep 17 00:00:00 2001 From: Sara Thomas Date: Thu, 22 Feb 2024 11:37:46 -0500 Subject: [PATCH] OCPBUGS-27426:Add admin groups info to NetObserv --- logging/log_storage/cluster-logging-loki.adoc | 2 +- ...ogging-creating-new-group-cluster-admin-user-role.adoc | 3 ++- modules/logging-loki-log-access.adoc | 8 ++++++++ modules/network-observability-lokistack-create.adoc | 3 --- network_observability/installing-operators.adoc | 7 ++----- snippets/logging-clusteradmin-access-logs-snip.adoc | 1 - 6 files changed, 13 insertions(+), 11 deletions(-) diff --git a/logging/log_storage/cluster-logging-loki.adoc b/logging/log_storage/cluster-logging-loki.adoc index d74c02b31e1e..140d19886bac 100644 --- a/logging/log_storage/cluster-logging-loki.adoc +++ b/logging/log_storage/cluster-logging-loki.adoc @@ -39,7 +39,7 @@ ifdef::openshift-enterprise[] * xref:../../nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.adoc#nodes-scheduler-pod-topology-spread-constraints-configuring[Controlling pod placement by using pod topology spread constraints] endif::[] -include::modules/logging-loki-log-access.adoc[leveloffset=+1] +include::modules/logging-loki-log-access.adoc[leveloffset=+1,tag=!NetObservMode] [role="_additional-resources"] .Additional resources diff --git a/modules/logging-creating-new-group-cluster-admin-user-role.adoc b/modules/logging-creating-new-group-cluster-admin-user-role.adoc index 9abbbfe29dd9..3487aa8b3c03 100644 --- a/modules/logging-creating-new-group-cluster-admin-user-role.adoc +++ b/modules/logging-creating-new-group-cluster-admin-user-role.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: -// cluster-logging-loki.adoc +// * cluster-logging-loki.adoc +// * network_observability/installing-operators.adoc :_mod-docs-content-type: PROCEDURE [id="logging-creating-new-group-cluster-admin-user-role_{context}"] diff --git a/modules/logging-loki-log-access.adoc b/modules/logging-loki-log-access.adoc index 0f4218acd811..149f88bc45c8 100644 --- a/modules/logging-loki-log-access.adoc +++ b/modules/logging-loki-log-access.adoc @@ -1,5 +1,6 @@ // Module included in the following assemblies: // +// * network_observability/installing-operators.adoc // * logging/cluster-logging-loki.adoc :_mod-docs-content-type: CONCEPT @@ -70,6 +71,7 @@ subjects: ---- <1> Specifies the namespace this `RoleBinding` applies to. +// tag::CustomAdmin[] == Custom admin group access If you have a large deployment with a number of users who require broader permissions, you can create a custom group using the `adminGroup` field. Users who are members of any group specified in the `adminGroups` field of the `LokiStack` CR are considered admins. Admin users have access to all application logs in all namespaces, if they also get assigned the `cluster-logging-application-view` role. @@ -84,7 +86,12 @@ metadata: namespace: openshift-logging spec: tenants: +# tag::LokiMode[] mode: openshift-logging # <1> +# end::LokiMode[] +# tag::NetObservMode[] + mode: openshift-network # <1> +# end::NetObservMode[] openshift: adminGroups: # <2> - cluster-admin @@ -93,3 +100,4 @@ spec: <1> Custom admin groups are only available in this mode. <2> Entering an empty list `[]` value for this field disables admin groups. <3> Overrides the default groups (`system:cluster-admins`, `cluster-admin`, `dedicated-admin`) +// end::CustomAdmin[] \ No newline at end of file diff --git a/modules/network-observability-lokistack-create.adoc b/modules/network-observability-lokistack-create.adoc index 8fab5ab2de44..e5cd4869fcc6 100644 --- a/modules/network-observability-lokistack-create.adoc +++ b/modules/network-observability-lokistack-create.adoc @@ -8,9 +8,6 @@ You can deploy a LokiStack using the web console or CLI to create a namespace, or new project. -include::snippets/logging-clusteradmin-access-logs-snip.adoc[] -For more information about creating a `cluster-admin` group, see the "Additional resources" section. - .Procedure . Navigate to *Operators* -> *Installed Operators*, viewing *All projects* from the *Project* dropdown. diff --git a/network_observability/installing-operators.adoc b/network_observability/installing-operators.adoc index 0b8928a68779..21939fa6fde2 100644 --- a/network_observability/installing-operators.adoc +++ b/network_observability/installing-operators.adoc @@ -29,11 +29,8 @@ include::modules/network-observability-loki-secret.adoc[leveloffset=+2] * xref:../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage] include::modules/network-observability-lokistack-create.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources -* xref:../logging/log_storage/cluster-logging-loki.adoc#logging-creating-new-group-cluster-admin-user-role_cluster-logging-loki[Creating a new group for the cluster-admin user role] - +include::modules/logging-creating-new-group-cluster-admin-user-role.adoc[leveloffset=+2] +include::modules/logging-loki-log-access.adoc[leveloffset=+1,tags=CustomAdmin;NetObservMode;!LokiMode] include::modules/loki-deployment-sizing.adoc[leveloffset=+2] include::modules/network-observability-lokistack-ingestion-query.adoc[leveloffset=+2] include::modules/network-observability-multitenancy.adoc[leveloffset=+2] diff --git a/snippets/logging-clusteradmin-access-logs-snip.adoc b/snippets/logging-clusteradmin-access-logs-snip.adoc index caaefe596aa3..794061c1e10e 100644 --- a/snippets/logging-clusteradmin-access-logs-snip.adoc +++ b/snippets/logging-clusteradmin-access-logs-snip.adoc @@ -4,7 +4,6 @@ // Text snippet included in the following modules: // // * modules/logging-creating-new-group-cluster-admin-user-role.adoc -// * modules/network-observability-lokistack-create.adoc // :_mod-docs-content-type: SNIPPET