Merge pull request #75292 from michaelryanmcneill/OSDOCS-10398

bmcelvee · web-flow · commit 0fc3baa2fe4a · 2024-04-29T14:12:30.000-04:00
OSDOCS-10398: updating docs to reflect the use of oc adm node-logs is allowed
diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml
@@ -367,7 +367,7 @@ Name: Security and compliance
 Dir: security
 Distros: openshift-dedicated
 Topics:
-- Name: Audit logs
+- Name: Viewing audit logs
   File: audit-log-view
 ---
 Name: Authentication and authorization
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -590,7 +590,7 @@ Name: Security and compliance
 Dir: security
 Distros: openshift-rosa
 Topics:
-- Name: Audit logs
+- Name: Viewing audit logs
   File: audit-log-view
 - Name: Adding additional constraints for IP-based AWS role assumption
   File: rosa-adding-additional-constraints-for-ip-based-aws-role-assumption
diff --git a/modules/gathering-data-audit-logs.adoc b/modules/gathering-data-audit-logs.adoc
@@ -24,7 +24,15 @@ You can gather audit logs, which are a security-relevant chronological set of re
 
 endif::support[]
 ifdef::viewing[]
+
 You can use the must-gather tool to collect the audit logs for debugging your cluster, which you can review or send to Red Hat Support.
+
+ifdef::openshift-dedicated[]
+[NOTE]
+====
+In {product-title} deployments, customers who are not using the Customer Cloud Subscription (CCS) model must request a copy of your cluster's audit logs by contacting Red Hat Support. This is because using the must-gather tool requires `cluster-admin` privileges.
+====
+endif::openshift-dedicated[]
 endif::viewing[]
 
 .Procedure
diff --git a/modules/nodes-nodes-audit-log-basic-viewing.adoc b/modules/nodes-nodes-audit-log-basic-viewing.adoc
@@ -8,6 +8,13 @@
 
 You can view the logs for the OpenShift API server, Kubernetes API server, OpenShift OAuth API server, and OpenShift OAuth server for each control plane node.
 
+ifdef::openshift-dedicated[]
+[NOTE]
+====
+In {product-title} deployments, customers who are not using the Customer Cloud Subscription (CCS) model must request a copy of your cluster's audit logs by contacting Red Hat Support. This is because viewing API server audit logs requires `cluster-admin` privileges.
+====
+endif::openshift-dedicated[]
+
 .Procedure
 
 To view the audit logs:
diff --git a/security/audit-log-view.adoc b/security/audit-log-view.adoc
@@ -1,15 +1,11 @@
 :_mod-docs-content-type: ASSEMBLY
 include::_attributes/common-attributes.adoc[]
-ifndef::openshift-rosa,openshift-dedicated[]
-[id="audit-log-view"]
-= Viewing audit logs
-endif::openshift-rosa,openshift-dedicated[]
-
 ifdef::openshift-rosa,openshift-dedicated[]
 include::_attributes/attributes-openshift-dedicated.adoc[]
-[id="audit-log-view"]
-= Audit logs
 endif::openshift-rosa,openshift-dedicated[]
+
+[id="audit-log-view"]
+= Viewing audit logs
 :context: audit-log-view
 
 toc::[]
@@ -18,23 +14,23 @@ toc::[]
 
 include::modules/nodes-nodes-audit-log-basic.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa,openshift-dedicated[]
 // Viewing the audit log
 include::modules/nodes-nodes-audit-log-basic-viewing.adoc[leveloffset=+1]
 
 // Filtering audit logs
 include::modules/security-audit-log-filtering.adoc[leveloffset=+1]
-endif::openshift-rosa,openshift-dedicated[]
+
 // Gathering audit logs
 include::modules/gathering-data-audit-logs.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa,openshift-dedicated[]
 [id="viewing-audit-logs-additional-resources"]
 [role="_additional-resources"]
 == Additional resources
 
+ifndef::openshift-rosa,openshift-dedicated[]
 * xref:../support/gathering-cluster-data.adoc#about-must-gather_gathering-cluster-data[Must-gather tool]
 * link:https://github.com/kubernetes/apiserver/blob/master/pkg/apis/audit/v1/types.go#L72[API audit log event structure]
 * xref:../security/audit-log-policy-config.adoc#audit-log-policy-config[Configuring the audit log policy]
-* xref:../observability/logging/log_collection_forwarding/log-forwarding.adoc#log-forwarding[About log forwarding]
 endif::[]
+* xref:../observability/logging/log_collection_forwarding/log-forwarding.adoc#log-forwarding[About log forwarding]
+
