From caf427b13dcbd516d0d5dd65650b92dc672b9c58 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Thu, 20 Feb 2025 16:47:26 +0100 Subject: [PATCH] OBSDOCS-1814: Docs for Tempo query RBAC Signed-off-by: Pavol Loffay --- ...distr-tracing-tempo-config-query-rbac.adoc | 107 ++++++++++++++++++ .../distr-tracing-tempo-configuring.adoc | 2 + 2 files changed, 109 insertions(+) create mode 100644 modules/distr-tracing-tempo-config-query-rbac.adoc diff --git a/modules/distr-tracing-tempo-config-query-rbac.adoc b/modules/distr-tracing-tempo-config-query-rbac.adoc new file mode 100644 index 000000000000..c1c6e59879a6 --- /dev/null +++ b/modules/distr-tracing-tempo-config-query-rbac.adoc @@ -0,0 +1,107 @@ +// Module included in the following assemblies: +// +// * observability/distr_tracing/distr-tracing-tempo-configuring.adoc + +:_mod-docs-content-type: PROCEDURE +[id="distr-tracing-tempo-configuring-query-rbac_{context}"] += Configuring the query RBAC + +As an administrator, you can set up the query role-based access control (RBAC) to filter the span attributes for your users by the namespaces for which you granted them permissions. + +[NOTE] +==== +When you enable the query RBAC, users can still access traces from all namespaces, and the `service.name` and `k8s.namespace.name` attributes are also visible to all users. +==== + +.Prerequisites + +* An active {oc-first} session by a cluster administrator with the `cluster-admin` role. ++ +[TIP] +==== +* Ensure that your {oc-first} version is up to date and matches your {product-title} version. + +* Run `oc login`: ++ +[source,terminal] +---- +$ oc login --username= +---- +==== + +.Procedure + +. Enable multitenancy and query RBAC in the `TempoStack` custom resource (CR), for example: ++ +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoStack +metadata: + name: simplest + namespace: chainsaw-multitenancy +spec: + storage: + secret: + name: minio + type: s3 + storageSize: 1Gi + resources: + total: + limits: + memory: 2Gi + cpu: 2000m + tenants: + mode: openshift + authentication: + - tenantName: dev + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" + template: + gateway: + enabled: true # <1> + rbac: + enabled: true # <2> + queryFrontend: + jaegerQuery: + enabled: false # <3> +---- +<1> Always set to `true`. +<2> Always set to `true`. +<3> Always set to `false`. + +. Create a cluster role and cluster role binding to grant the target users the permissions to access the tenant that you specified in the `TempoStack` CR, for example: ++ +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tempo-dev-read +rules: +- apiGroups: [tempo.grafana.com] + resources: [dev] # <1> + resourceNames: [traces] + verbs: [get] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tempo-dev-read +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tempo-dev-read +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:authenticated # <2> +---- +<1> Tenant name in the `TempoStack` CR. +<2> Means all authenticated OpenShift users. + +. Grant the target users the permissions to read attributes for the project. You can do this by running the following command: ++ +[source,bash] +---- +$ oc adm policy add-role-to-user view -n +---- diff --git a/observability/distr_tracing/distr-tracing-tempo-configuring.adoc b/observability/distr_tracing/distr-tracing-tempo-configuring.adoc index 0435f14ce0c9..b13268e9a74d 100644 --- a/observability/distr_tracing/distr-tracing-tempo-configuring.adoc +++ b/observability/distr_tracing/distr-tracing-tempo-configuring.adoc @@ -60,6 +60,8 @@ include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.ado * xref:../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates] * xref:../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] +include::modules/distr-tracing-tempo-config-query-rbac.adoc[leveloffset=+1] + [id="taints-and-tolerations_{context}"] == Using taints and tolerations