Home

LogAnalytics workspace - aks logs

%3CLINGO-SUB%20id%3D%22lingo-sub-382563%22%20slang%3D%22en-US%22%3ELogAnalytics%20workspace%20-%20aks%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382563%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20currently%20use%20azure%20aks%20and%20have%20a%20log%20workspace%20for%20logs%20from%20that%20cluster.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20set%20up%20more%20detailed%20access%20permissions%2C%20for%20example%2C%20to%20ship%20logs%20from%20a%20(aks%20cluster%20applications)%20namespace%20to%20a%20specific%20log%20analytics%20workspace%3F%20The%20idea%20here%20is%20to%20configure%20user's%20access%20to%20the%20logs%20from%20their%20apps%2Fnamespace%20only%2C%20not%20to%20have%20access%20to%20all%20cluster%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETried%20with%20azure%20cli%2C%20but%20it%20looks%20like%20that%20you%20can%20assign%20log%20workspace%20per%20cluster%20only.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EMladen.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-382563%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAKS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-386340%22%20slang%3D%22en-US%22%3ERe%3A%20LogAnalytics%20workspace%20-%20aks%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386340%22%20slang%3D%22en-US%22%3EHi%20Mladen%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20working%20these%20days%20on%20exactly%20that.%20The%20current%20resource-centric%20isn't%20working%20right%20now%20on%20AKS%20clusters%20as%20the%20logs%20are%20not%20tagged%20with%20the%20AKS%20resource%20ID.%20This%20supposed%20to%20be%20fixed%20in%20few%20weeks.%20Once%20it%20is%20fixed%2C%20you%20would%20be%20able%20to%20use%20the%20resource-based%20RBAC%20to%20define%20per-cluster%20RBAC.%20%3CBR%20%2F%3ERight%20now%2C%20we%20don't%20plan%20to%20support%20per-namespace%20as%20namespaces%20are%20internal%20Kube%20entity%20that%20doesn't%20receive%20Azure%20RBAC%20assignments.%20We%20consider%20options%20for%20the%20future.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EMeir%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-382840%22%20slang%3D%22en-US%22%3ERe%3A%20LogAnalytics%20workspace%20-%20aks%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382840%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20setup%20monitoring%20there%20are%20many%20Log%20Analytics%20Tables%20that%20are%20produced.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Finsights%2Fcontainer-insights-analyze%23container-data-collection-details%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Finsights%2Fcontainer-insights-analyze%23container-data-collection-details%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20Table%20level%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3Ffbclid%3DIwAR1A1sCmsvjETw4yZICsBuTfstKzbxEpuqLFUtxAvg764W58-RY3O34eu2w%23table-level-rbac%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ERBAC%3C%2FA%3E%20to%20restrict%20access%20to%20those%20Tables%3F%26nbsp%3B%20It%20only%20table%20level%20not%20fine%20grain%20to%20look%20at%20the%20data%20within.%3C%2FP%3E%3C%2FLINGO-BODY%3E
mladents
Occasional Visitor

Hello,

 

we currently use azure aks and have a log workspace for logs from that cluster.

 

Is it possible to set up more detailed access permissions, for example, to ship logs from a (aks cluster applications) namespace to a specific log analytics workspace? The idea here is to configure user's access to the logs from their apps/namespace only, not to have access to all cluster logs.

 

Tried with azure cli, but it looks like that you can assign log workspace per cluster only.

 

Thanks,

 

Best regards,

Mladen.

 

2 Replies

When you setup monitoring there are many Log Analytics Tables that are produced.  

https://docs.microsoft.com/en-gb/azure/azure-monitor/insights/container-insights-analyze#container-d...

 

You can use Table level RBAC to restrict access to those Tables?  It only table level not fine grain to look at the data within.

Hi Mladen,

We are working these days on exactly that. The current resource-centric isn't working right now on AKS clusters as the logs are not tagged with the AKS resource ID. This supposed to be fixed in few weeks. Once it is fixed, you would be able to use the resource-based RBAC to define per-cluster RBAC.
Right now, we don't plan to support per-namespace as namespaces are internal Kube entity that doesn't receive Azure RBAC assignments. We consider options for the future.

Thanks,
Meir
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies