add users and roles for logging

anish-mudaraddi · anish-mudaraddi · commit 7e2d0397c098 · 2024-10-17T11:39:49.000+01:00
add opensearch config for setting up roles and users for writing and reading logs

add separate tenants for each environment so that we can setup separate RBAC policies
diff --git a/clusters/dev/worker/opensearch-values.yaml b/clusters/dev/worker/opensearch-values.yaml
@@ -22,31 +22,172 @@ ingress:
       hosts:
         - nodes.dev.nubes.stfc.ac.uk
 
+# This is a Opensearch cluster that collects logs from all clusters 
+# and stores in different tenants
 users:
-# for ingesting k8s container logs
-- name: fluentbit
-  passwordFrom:
-    name: fluentbit-credentials-secret
-    key: password
-  backendRoles:
-    - kibana_user
-
-roles:
-# for ingesting k8s container logs
-- name: fluentbit
-  clusterPermissions:
-    - cluster_composite_ops
-    - cluster_monitor
-  indexPermissions:
-    - indexPatterns:
-        - audit-*
-        - container-*
-        - access-*
-      allowedActions:
-        - create_index
-        - index
-        - write
-
-roleMappings:
-  - roleName: fluentbit
-    user: fluentbit
+  log_writer_dev:
+    reserved: false
+    backend_roles: 
+      - k8s_log_writer_dev
+    description: "user for writing dev k8s logs"
+
+  log_writer_staging:
+    reserved: false
+    backend_roles: 
+      - k8s_log_writer_staging
+    description: "user for writing staging k8s logs"
+
+  log_writer_prod:
+    reserved: false
+    backend_roles: 
+      - k8s_log_writer_prod
+    description: "user for writing prod k8s logs"
+
+tenants:
+  cloud_dev: 
+    reserved: true
+    description: "logs from dev k8s clusters"
+  cloud:
+    reserved: true
+    description: "logs for prod/staging k8s clusters"
+
+roles:  
+  write_only_dev:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_dev_*_cluster*"
+        - "trivy_logs_dev_*_cluster*"
+      allowed_actions:
+        - "indices:data/write/bulk"
+        - "indices:data/write/index"
+        - "indices:data/write/update"
+        - "indices:admin/create"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud_dev
+  
+  read_only_dev:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_dev_*_cluster*"
+        - "trivy_logs_dev_*_cluster*"
+      allowed_actions:
+        - "indices:data/write/*",
+        - "indices:data/read/*",
+        - "indices:admin/*"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud_dev
+      allowed_actions:
+        # so to allow creating dashboards
+        - kibana_all_write
+
+  write_only_staging:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_staging_*_cluster*"
+        - "trivy_logs_staging_*_cluster*"
+      allowed_actions:
+        - "indices:data/write/bulk"
+        - "indices:data/write/index"
+        - "indices:data/write/update"
+        - "indices:admin/create"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud
+  
+  read_only_staging:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_staging_*_cluster*"
+        - "trivy_logs_staging_*_cluster*"
+      allowed_actions:
+        - "indices:data/write/*"
+        - "indices:data/read/*"
+        - "indices:admin/*"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud
+      allowed_actions:
+        # so to allow creating dashboards
+        - kibana_all_write
+  
+  write_only_prod:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_prod_*_cluster*"
+        - "trivy_logs_prod_*_cluster*" 
+      allowed_actions:
+        - "indices:data/write/bulk"
+        - "indices:data/write/index"
+        - "indices:data/write/update"
+        - "indices:admin/create"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud
+  
+  read_only_prod:
+    reserved: false
+    cluster_permissions: []
+    index_permissions:
+    - index_patterns:
+        - "k8s_logs_prod_*_cluster*"
+        - "trivy_logs_prod_*_cluster*" 
+      allowed_actions:
+        - "indices:data/write/*"
+        - "indices:data/read/*"
+        - "indices:admin/*"
+    tenant_permissions: 
+      tenant_patterns:
+        - cloud
+      allowed_actions:
+        # so to allow creating dashboards
+        - kibana_all_write
+
+rolesMapping:
+  k8s_log_writer_dev:
+    backend_roles:
+      - write_only_dev
+    user: 
+      - log_writer_dev
+    description: "map dev log writer role"
+  k8s_log_writer_staging:
+    backend_roles:
+      - write_only_staging
+    user: 
+      - log_writer_staging
+    description: "map staging log writer role"    
+  k8s_log_writer_prod:
+    backend_roles:
+      - write_only_prod
+    user: 
+      - log_writer_prod
+    description: "map prod log writer role"
+  
+  k8s_dev:
+    backend_roles:
+      - read_only_dev
+      - stfc-cloud-dev
+    user: 
+      - log_writer_dev
+    description: "map dev users to dev read role"
+  k8s_prod:
+    backend_roles:
+      - read_only_staging
+      - read_only_prod
+      - read_only_dev
+      - stfc-cloud/team
+    user: 
+      - log_writer_dev
+    description: "map cloud team users to all read roles"
+    
diff --git a/secrets/dev/worker/opensearch.yaml b/secrets/dev/worker/opensearch.yaml
@@ -10,6 +10,16 @@ admin:
 openid:
     clientID: ENC[AES256_GCM,data:uMvsOIjTttBfy/BKplxEGhmuNLhKddQH1MlBicQ+UbStPiko,iv:H8+om/9YGfh2vxf8Xh+E90tNLyrKTpXPQjybgt62Ou0=,tag:eqjGOGyi/va5Bs1vDSQQ/g==,type:str]
     clientSecret: ENC[AES256_GCM,data:3qhDQuypewAKxtR5p488hv5Q/+4qIBFvvEAZZSOEyS4icCEaZSd2Viwr7oWdts95R9cqLM7ruoQlI5s+XzNbQiG9BUkc0mjEOuuR92CRCa6GIuaXwvg=,iv:5UJuqz2JkJAqtYRglzrC3U8eZzkSv3nT0WMhhg+yN5c=,tag:alMz/tPl1d7RAQZCeIyLFg==,type:str]
+users:
+    log_writer_dev:
+        #ENC[AES256_GCM,data:T6AsRPPxir0nRfAnbSmvbyKq8gTD,iv:LebgnKjMwmMMXIhySW6y3HPc+z6gS83PyTRM0Uhk2sk=,tag:+W4JcdR6mzfOtR294moj8Q==,type:comment]
+        hash: ENC[AES256_GCM,data:ENyIoA43q6y7zl1WUH57tET2tHRbYGSyV7FMrqB9lQEEu9+vxL6Q05DyHB77b/slfXX+5ohD5FkXcKIz,iv:Ano1xzAD9OMKW8Qhku+OFpuSlkyLDoeXsNUwew9f0mQ=,tag:G2BhBAQwO2WG7tVGrvRyFQ==,type:str]
+    log_writer_staging:
+        #ENC[AES256_GCM,data:72O6y7b7FxqbFeFlqwbsQYoY8DHG,iv:tjdHjDBrUOPlHrMfTslEl3OjKoGNMmZwbv0a7dwqPUk=,tag:9k6iGparJF6R+0+7P6KIsw==,type:comment]
+        hash: ENC[AES256_GCM,data:dWKTVf85bk9vf5Jt5ivY2jqFt+pigoyiMqPBC6GMC5Kms4UYud5+SooCAg0tTvZzGmoA7KM6rdFt7bP9,iv:EOkAB0JwdTq8BDYm6gK8fqHC49u6tIt4QOZ+5Wm/BWU=,tag:iO3kN09kM6yolYrnZqN8QA==,type:str]
+    log_writer_prod:
+        #ENC[AES256_GCM,data:XMEEo0SuFnKVacAk6RAigNdPfjql,iv:TtiYab4aBJ2hYCZ+RLWdY0mGpsSWtxRu3kF3cM0PV20=,tag:Wgr8IPaWMF3NDreMOArwIw==,type:comment]
+        hash: ENC[AES256_GCM,data:u8NB+pXqYec50UOnWomUfT87/TGWLLZ+W1YBGVXEl1UuUardj8Vw3J+wW6iHf+1dyMRWCoAkl3taTkEC,iv:9fMWXnPrpzeO7NQGcLk2kZNLJ2YMOEVqO4igWufRXxo=,tag:kzNFzH98kZVi9Qmr16dyjw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -61,8 +71,8 @@ sops:
             UG9MN0lCWElaUVNLQ0pJTEJKMHVFa2cKgetiuhLepPcjva1pR2hEQLrwc67ygux+
             jqHXJ+BVReG0Sq7HZoCDv6iMQM5DrL0DwmGAZy+5S83zQeTUE1kwaA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-15T21:13:56Z"
-    mac: ENC[AES256_GCM,data:Im6TOCdWj6XBgC9HO/nHbfdg68dRmYwIz+FQw5hmBmsTjQPFl/zNNiBcS/UbwpxuOoIMfrsdhKa0A/DaU+0D+HucFGD7QMGcflTguN/k+gTxBI/BQIQEfAlSJUzhwFbJUJ075KcrmgKQOX9a8GmRyv44uhZwm4be8NYUIapEhnQ=,iv:N2ABX3eovw/Swc8mmppaNC6h8oHH1KKxuLFN16ol66g=,tag:8YhncBZ2MZLELl8uvpb6MQ==,type:str]
+    lastmodified: "2024-10-16T12:58:59Z"
+    mac: ENC[AES256_GCM,data:4X0GJQxFFFVLDYaB5rQeJYJc04bOlzSN8cimFKDLsei058bM3+hRWYUuSnYRB4iaVR0UlOdVaZS/nKCbcW7VUMP0bTBcVbYg6hLQ9jUO4ugOTAOsWixkviSTrYyG79Aa8fzZ3LzqzzULk+0IUwzOddvawejBlhjIVCWaBfOZbVo=,iv:XCieT5ci3H4KiLpEQYmCCg1JttpAMDhkD/nQ/kV9Zsc=,tag:kj54RUuqRNHFczYGS2U37g==,type:str]
     pgp: []
     unencrypted_regex: ^(apiVersion|metadata|kind|type)$
     version: 3.8.1
