|
| 1 | +--- |
| 2 | +Title: Log collector RBAC |
| 3 | +alwaysopen: false |
| 4 | +categories: |
| 5 | +- docs |
| 6 | +- operate |
| 7 | +- kubernetes |
| 8 | +description: RBAC configurations for Redis Enterprise log collector in all and restricted modes. |
| 9 | +linkTitle: Log collector RBAC |
| 10 | +weight: 90 |
| 11 | +--- |
| 12 | + |
| 13 | +This page provides YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool. |
| 14 | + |
| 15 | +## Overview |
| 16 | + |
| 17 | +The Redis Enterprise log collector script helps gather diagnostic information for troubleshooting. |
| 18 | +The log collector requires different permission levels depending on the collection mode you choose. |
| 19 | +It has two collection modes that require different RBAC permissions: |
| 20 | +h |
| 21 | +- **Restricted mode** (recommended): Collects only Redis Enterprise resources with minimal security exposure. Default for versions 6.2.18-3+. |
| 22 | +- **All mode**: Collects comprehensive cluster information including nodes, storage classes, and operator resources. Use when specifically requested by Redis Support. |
| 23 | + |
| 24 | +## RBAC configurations |
| 25 | + |
| 26 | +### Restricted mode |
| 27 | + |
| 28 | +{{<embed-md "k8s/log_collector_role_restricted_mode.md">}} |
| 29 | + |
| 30 | +### All mode |
| 31 | + |
| 32 | +{{<embed-md "k8s/log_collector_role_all_mode.md">}} |
| 33 | + |
| 34 | +{{< note >}} |
| 35 | +For the complete list of resources and permissions required by each mode, refer to the role definitions in the YAML files above. |
| 36 | +{{< /note >}} |
| 37 | + |
| 38 | +## Applying RBAC configurations |
| 39 | + |
| 40 | +### Namespace requirements |
| 41 | + |
| 42 | +The Role and RoleBinding must be created in every namespace where you need to collect logs. This varies based on your deployment model: |
| 43 | + |
| 44 | +- **Single namespace**: Apply to the namespace where Redis Enterprise runs |
| 45 | +- **Multi-namespace with single REC**: Apply to the REC namespace plus each REDB namespace |
| 46 | +- **Multi-namespace with multiple RECs**: Apply to each REC namespace |
| 47 | + |
| 48 | +The ClusterRole and ClusterRoleBinding need to be created only once per cluster. |
| 49 | + |
| 50 | +{{< note >}} |
| 51 | +Each YAML file contains both Role and ClusterRole objects. Running `kubectl apply` installs both components. You can safely run the command multiple times with different namespaces. |
| 52 | +{{< /note >}} |
| 53 | + |
| 54 | +### Manual deployment |
| 55 | + |
| 56 | +If you prefer to apply the configurations manually, save the YAML content to local files and apply them: |
| 57 | + |
| 58 | +```bash |
| 59 | +# Save the YAML content to a file |
| 60 | +kubectl apply -f log-collector-rbac.yaml --namespace <namespace> |
| 61 | +``` |
| 62 | + |
| 63 | +## Usage |
| 64 | + |
| 65 | +After applying the RBAC configuration, run the log collector: |
| 66 | + |
| 67 | +```bash |
| 68 | +# Restricted mode (default for 6.2.18-3+) |
| 69 | +python log_collector.py -m restricted -n <namespace> |
| 70 | + |
| 71 | +# All mode |
| 72 | +python log_collector.py -m all -n <namespace> |
| 73 | +``` |
| 74 | + |
| 75 | +## Security considerations |
| 76 | + |
| 77 | +- **Use restricted mode** unless you specifically need additional cluster information |
| 78 | +- **Limit namespace access** to only where log collection is needed |
| 79 | +- **Handle collected data** according to your organization's security policies (logs may contain sensitive information) |
| 80 | + |
| 81 | +### Secrets permission explanation |
| 82 | + |
| 83 | +The RBAC configurations request read access to secrets in the collected namespaces. **Secrets are not collected or included in the log package sent to Redis Support.** This permission is required because: |
| 84 | + |
| 85 | +- The log collector uses Helm commands (`helm list`, `helm get all`) to gather information about Redis Enterprise Helm chart deployments |
| 86 | +- Helm stores its deployment metadata in Kubernetes secrets |
| 87 | +- For Redis Enterprise charts, this metadata contains only deployment configuration (not sensitive data), but follows Helm's standard storage pattern |
| 88 | + |
| 89 | +If your security policies prohibit secrets access, you can remove the secrets permission from the Role, but this will limit the log collector's ability to gather Helm deployment information. |
| 90 | + |
| 91 | +## Troubleshooting |
| 92 | + |
| 93 | +If you encounter permission errors, verify that roles and bindings are applied correctly in the target namespaces. For missing resources, ensure the ClusterRole is applied and consider switching to all mode if additional resources are needed. |
| 94 | + |
| 95 | +## Related documentation |
| 96 | + |
| 97 | +- [Collect logs guide]({{< relref "/operate/kubernetes/logs/collect-logs" >}}) |
| 98 | +- [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) |
| 99 | +- [Redis Enterprise troubleshooting]({{< relref "/operate/kubernetes/logs" >}}) |
0 commit comments