Separate log data with management zones
Description
Currently we separate tenants on our kubernetes platform using management zones.
Each tenant can have multiple namespaces and are prefixes with the tenant name.
For example tenant1-namespace1, tenant1-namespace2, tenant2-namespace1.
A tenant represents a proces group that is tied to a management zone, policy and one or more synced (SSO) SCIM Active Directory groups.
We're using Container groups (Process group naming) to make process group tenant1 with all workloads (tenant1-namespace1, tenant1-namespace2)
Each tenant (dt.entity.process_group_instance) has their own process group (tenant1) and their own management zone (tenant1).
This works perfectly.
Now we also want to isolate the log data between tenants. So each tenant should only see their own logs.
The can share data (like logs and dashboards), but primarily they should only see the logs of their own workload and the underlying platform.
The problem is that it looks like the logviewer doesn't seem to be able to filter on management zones or on dt.entity.process_group_instance or any other field
and separate them between tenants/users
So the tenant sees all logs of all other tenants on the whole platform, or no logs at all.
How can we tackle this?
Other platforms support this. The method of log ingestion is API, Fluentd or Oneagent itself but this is not really relevant in this case. We have plenty of ways to isolate the tenant using fields like dt.entity.process_group_instance or labels in Kubernetes or the payload itself.
Our approach:
We now have the following policy for logging on each tenant that looks like this:
ALLOW storage:buckets:read;
ALLOW storage:system:read,
storage:events:read,
storage:logs:read,
storage:metrics:read,
storage:entities:read,
storage:bizevents:read,
storage:spans:read;
ALLOW environment:roles:viewer WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW environment:roles:logviewer WHERE environment:management-zone = "tenant1-mgmtzone";
What we want is something like this, but that doesn't seem to work:
ALLOW storage:system:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:events:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:buckets:read WHERE storage:table-name = "tenant1-mgmtzone";
ALLOW storage:metrics:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:entities:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:bizevents:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:spans:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW environment:roles:viewer WHERE environment:management-zone = "tenant1-mgmtzone";
Links
Logs and events, advantaged mode using Grail
