Permissions

The module lifecycle stage: Preview
The module has requirements for installation

The observability module defines a number of custom resources required for its operation. Access control is managed through the user-authn module and the Kubernetes role model.

To control access to cluster-scoped module resources, a set of standard ClusterRole roles is provided:

d8:manage:permission:module:observability:edit: Grants permissions to create, edit, read, and delete system (cluster-level) module resources.
d8:manage:permission:module:observability:view: Grants read access to cluster-level module resources.

To control access to project-scoped module resources, a set of standard ClusterRole roles is provided:

d8:use:capability:module:observability:edit: Grants permissions to read, create, edit, and delete module resources.
d8:use:capability:module:observability:view: Grants read access to project-level module resources.

To give a user access to project or cluster metrics, assign the corresponding role. You can also include observability module permissions in existing roles.

Access to metrics and dashboards in a namespace

To grant access to metrics and dashboards in a specific namespace, create ClusterRole and RoleBinding resources that define the user’s permissions. Access to metrics and dashboards is granted separately:

Metrics: The get permission for the metrics.observability.deckhouse.io resource is checked.
Dashboards: Permissions for the observabilitydashboards.observability.deckhouse.io resource are checked:
- get: View dashboards.
- create: Create, modify, and delete dashboards.

Example of a ClusterRole and RoleBinding that grant read-only access to metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-viewer
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["metrics", "observabilitydashboards"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-observability-viewer
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-viewer
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Example of a ClusterRole and RoleBinding that grant read and edit access to metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-editor
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["metrics", "observabilitydashboards"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["observabilitydashboards"]
    verbs: ["create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-observability-editor
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-editor
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Access to system metrics and dashboards

To grant access to system metrics and dashboards, create ClusterRole and ClusterRoleBinding resources that define the user’s permissions. Access to metrics and dashboards is granted separately:

Metrics: The get permission for the clustermetrics.observability.deckhouse.io resource is checked.
Dashboards: Permissions for the clusterobservabilitydashboards.observability.deckhouse.io resource are checked:
- get: View dashboards.
- create: Create, modify, and delete dashboards.

Example of a ClusterRole and ClusterRoleBinding for viewing system metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-cluster-viewer
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["clustermetrics", "clusterobservabilitydashboards"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-observability-cluster-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-cluster-viewer
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Example of a ClusterRole and ClusterRoleBinding that grant read and edit access to metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-cluster-editor
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["clustermetrics", "clusterobservabilitydashboards"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["clusterobservabilitydashboards"]
    verbs: ["create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-observability-cluster-editor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-cluster-editor
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Access to logs in a namespace

To grant access to logs in a specific namespace, create ClusterRole and RoleBinding resources that define the user’s permissions.

The get permission for the logs.observability.deckhouse.io resource is checked.

Example of a ClusterRole and RoleBinding that grant read-only access to metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-viewer
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["logs""]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-observability-viewer
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-viewer
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Access to system logs

To grant access to system logs, create ClusterRole and ClusterRoleBinding resources that define the user’s permissions.

The get permission for the clusterlogs.observability.deckhouse.io resource is checked.

Example of a ClusterRole and ClusterRoleBinding for viewing system logs:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-cluster-viewer
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["clusterlogs"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-observability-cluster-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-cluster-viewer
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Full access to all metrics, dashboards and logs

To grant full access to all metrics and dashboards in DKP, create a ClusterRole that includes all required permissions. Then use ClusterRoleBinding to assign this role.

You can use the built-in cluster-admin role, but with caution. This role grants full access to all cluster resources.

Example of a ClusterRole and ClusterRoleBinding that grant full access to all metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-admin
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources:
      - metrics
      - clustermetrics
      - observabilitydashboards
      - clusterobservabilitydashboards
      - clusterobservabilitypropagateddashboards
    verbs: ["get", "list", "watch", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bind-observability-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-admin
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Granting access when using RBAC 2.0

If the experimental role model is enabled, permissions are assigned through UserRole and ClusterUserRole resources.

Example of access to metrics and dashboards in a namespace:

This example grants permissions beyond access to dashboards and metrics only. You can find a description of this role in the user-authz module documentation.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: myapp-developer
  namespace: myapp
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: d8:use:role:user
  apiGroup: rbac.authorization.k8s.io

Access to metrics and dashboards in a namespace

Access to system metrics and dashboards

Access to logs in a namespace

Access to system logs

Full access to all metrics, dashboards and logs

Granting access when using RBAC 2.0

An error has occurred

Tell us what you didn’t like.

Permissions

Access to metrics and dashboards in a namespace

Access to system metrics and dashboards

Access to logs in a namespace

Access to system logs

Full access to all metrics, dashboards and logs

Granting access when using RBAC 2.0

An error has occurred

Tell us what you didn’t like.

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error