Overview

By default Kublr logging configures full access to cluster logs for users who have Kublr access to the cluster. There are some situations where it may be too permissive.

The following procedure allows disabling access to specific indices or index patterns.

Configuration procedure

Create a new role in Keycloak UI; we will use role named ba as an example
Assign the role ba to the restricted user
Modify SearchGuard config as follows (the procedure to adjust SearchGuard configuration is described in Kublr documentation)

Add role mapping to roles_mapping.yml file as follows:

sg_ba:
  backend_roles:
  - "ba"

Add role definition to roles.yml file as follows:

sg_ba:
  exclude_index_permissions:
  - actions:
    - "*"
    index_patterns:
    - "kublr_*_kublr-*"
    - "kublr_*_kube-system-*"

Now user with the role ba will not see logs from indices (datastreams) corresponding to masks specified above.

Kublr

How can we help you today?

Search Guard: disallow some users to view k8s and kublr logs Print

Overview

Configuration procedure

References

How can we help you today?

Search Guard: disallow some users to view k8s and kublr logs Print

Overview

Configuration procedure

References

Related Articles