Skip to content

Commit 6f9c84d

Browse files
Add log-collector-rbac.md with RBAC configurations
1 parent 5c369ef commit 6f9c84d

File tree

1 file changed

+99
-0
lines changed

1 file changed

+99
-0
lines changed
Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
---
2+
Title: Log collector RBAC
3+
alwaysopen: false
4+
categories:
5+
- docs
6+
- operate
7+
- kubernetes
8+
description: RBAC configurations for Redis Enterprise log collector in all and restricted modes.
9+
linkTitle: Log collector RBAC
10+
weight: 90
11+
---
12+
13+
This page provides YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool.
14+
15+
## Overview
16+
17+
The Redis Enterprise log collector script helps gather diagnostic information for troubleshooting.
18+
The log collector requires different permission levels depending on the collection mode you choose.
19+
It has two collection modes that require different RBAC permissions:
20+
h
21+
- **Restricted mode** (recommended): Collects only Redis Enterprise resources with minimal security exposure. Default for versions 6.2.18-3+.
22+
- **All mode**: Collects comprehensive cluster information including nodes, storage classes, and operator resources. Use when specifically requested by Redis Support.
23+
24+
## RBAC configurations
25+
26+
### Restricted mode
27+
28+
{{<embed-md "k8s/log_collector_role_restricted_mode.md">}}
29+
30+
### All mode
31+
32+
{{<embed-md "k8s/log_collector_role_all_mode.md">}}
33+
34+
{{< note >}}
35+
For the complete list of resources and permissions required by each mode, refer to the role definitions in the YAML files above.
36+
{{< /note >}}
37+
38+
## Applying RBAC configurations
39+
40+
### Namespace requirements
41+
42+
The Role and RoleBinding must be created in every namespace where you need to collect logs. This varies based on your deployment model:
43+
44+
- **Single namespace**: Apply to the namespace where Redis Enterprise runs
45+
- **Multi-namespace with single REC**: Apply to the REC namespace plus each REDB namespace
46+
- **Multi-namespace with multiple RECs**: Apply to each REC namespace
47+
48+
The ClusterRole and ClusterRoleBinding need to be created only once per cluster.
49+
50+
{{< note >}}
51+
Each YAML file contains both Role and ClusterRole objects. Running `kubectl apply` installs both components. You can safely run the command multiple times with different namespaces.
52+
{{< /note >}}
53+
54+
### Manual deployment
55+
56+
If you prefer to apply the configurations manually, save the YAML content to local files and apply them:
57+
58+
```bash
59+
# Save the YAML content to a file
60+
kubectl apply -f log-collector-rbac.yaml --namespace <namespace>
61+
```
62+
63+
## Usage
64+
65+
After applying the RBAC configuration, run the log collector:
66+
67+
```bash
68+
# Restricted mode (default for 6.2.18-3+)
69+
python log_collector.py -m restricted -n <namespace>
70+
71+
# All mode
72+
python log_collector.py -m all -n <namespace>
73+
```
74+
75+
## Security considerations
76+
77+
- **Use restricted mode** unless you specifically need additional cluster information
78+
- **Limit namespace access** to only where log collection is needed
79+
- **Handle collected data** according to your organization's security policies (logs may contain sensitive information)
80+
81+
### Secrets permission explanation
82+
83+
The RBAC configurations request read access to secrets in the collected namespaces. **Secrets are not collected or included in the log package sent to Redis Support.** This permission is required because:
84+
85+
- The log collector uses Helm commands (`helm list`, `helm get all`) to gather information about Redis Enterprise Helm chart deployments
86+
- Helm stores its deployment metadata in Kubernetes secrets
87+
- For Redis Enterprise charts, this metadata contains only deployment configuration (not sensitive data), but follows Helm's standard storage pattern
88+
89+
If your security policies prohibit secrets access, you can remove the secrets permission from the Role, but this will limit the log collector's ability to gather Helm deployment information.
90+
91+
## Troubleshooting
92+
93+
If you encounter permission errors, verify that roles and bindings are applied correctly in the target namespaces. For missing resources, ensure the ClusterRole is applied and consider switching to all mode if additional resources are needed.
94+
95+
## Related documentation
96+
97+
- [Collect logs guide]({{< relref "/operate/kubernetes/logs/collect-logs" >}})
98+
- [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
99+
- [Redis Enterprise troubleshooting]({{< relref "/operate/kubernetes/logs" >}})

0 commit comments

Comments
 (0)