RBAC Example: Access to Business Application and OS Logs Only

This article provides detailed example of how to provide different user groups with access to different scope of cluster logging/monitoring information using RBAC.

RBAC Model

The example covers the following RBAC model:

• users of the operations group have access to:
  • in Kublr UI, only Monitoring and Logging
  • logs from business application and OS
• users of the audit group have access to:
  • all Kublr UI
  • clusters in the develop and prod spaces (read-only)
  • all cluster logs
  • Kubernetes dashboard
  • logs from all pods in all namespaces

Procedure

Configuring groups and users (in Keycloak)

1. Select the kublr-ui realm.
2. In Groups, create the KublrOperations and KublrAudit groups.
3. In Realm roles, create the user_operations realm role.
4. In Users
5. Create audit user and add one to the KublrReadOnlyUsers and KublrAudit groups.
6. Create operations user and add one to KublrReadOnlyUsers and KublrOperations groups.
7. For the operations user, at Role mapping tab, assign the user_operations role.

Creating spaces and clusters (in Kublr)

1. In Security → Spaces tab, create develop and prod spaces.
2. In Clusters, create 1 cluster in each of these spaces.

Configuring roles (in Kublr)

1. In Security → Roles, create global roles:

   • all-space: rule for space, Verbs - “list”

     

   • all-clusters: rule for space, cluster, cluster/id, Verbs - “list, get”

   • cluster-dashboard: rule for cluster/proxy, cluster/admin-dashboard, cluster/dashboard, cluster/admin-proxy, Verbs - “get”

Binding Kublr roles to Keycloak groups (in Kublr)

1. In Security → Role Bindings, create global role bindings:

   • all-spaces-viewer: bind the all-space role to KublrOperations and KublrAudit groups
   • cluster-dashboard-audit: bind the cluster-dashboard role to KublrAudit group

2. And space role bindings:

   • operations-dev-space: for space develop, bind all-clusters role KublrOperations and KublrAudit groups

   • operations-prod-space: for space prod bind all-clusters role to KublrOperations and KublrAudit groups

     

Configuring Search Guard on ELK in Kubernetes cluster

1. Login to the cluster with administration config.

2. Using k9s or kubctl tools search pod kublr-logging-controller-* in Kublr namespace and enter with shell to the kublr-feature-logging container.

3. To export configuration of Search Guard, execute the /opt/logging-controller/sg_retrieve.sh script.

4. Go to /tmp folder with the cd /tmp.

5. Add the following code to the end of the roles.yml file:

   sg_user_operations:
   exclude_index_permissions:
   - actions:
       - "*"
       index_patterns:
       - "*kublr_*_audit*"
       - "*kublr_*_kube-system-*"
   

6. Add the following code to the end of the roles_mapping.yml file:

   sg_user_operations:
   backend_roles:
   - "user_operations"
   

7. To import configuration to Search Guard, execute the /opt/logging-controller/sg_apply.sh script.

See Also

• This documentation:
  • Search for “rbac” to find more information about managing access wrights via user roles in Kublr, like:
  • Kublr RBAC (role-based access control)