Reputation: 13
How can a Google Cloud Logging user be limited to view logs from a specific deployment?
My company currently have a legacy GCP project that has multiple deployments running in the same kubernetes namespace. Before time can be found to separate the the deployments to their projects, I would like to give certain users access to the (Cloud Logging) logs of specific deployments e.g team_A should only be able to see the logs of deployment_A in the default namespace.
Google has IAM conditions, however I cannot find the right name nor type to use. There's a big list, but am I missing something? Is this not possible?
Upvotes: 0
Views: 461
Answers (1)
Reputation: 2217
You can use RBAC Authorization for this kind of fine tuned access control:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
For example, you can create a custom ClusterRole with only pods/log as resource, core as apiGroups and get as verb. And then you create a RoleBinding for at the default namespace which is binding the custom ClusterRole to your users / group.
If you are using Google groups, maybe you need to check also this documentation: https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac
Upvotes: 2
Related Questions
- GCP logging: Find all resources (recently) used by a specific user
- GCP: how can i find in Cloud Logging permission / role changes for a specific user?
- Restrict Log Analytics logging per deployment or container
- How to provide access to log explorer only
- Google CloudLogging with service account - PERMISSION_DENIED error
- Can't enable logs for Google Cloud Logging
- Google Cloud Logging Authentication / permissions
- Centralised application logging in kubernetes
- Narrow authorisation to list cluster scoped events in kubernetes
- Restrict IAM service account to a particular Google Stackdriver Log