Add log collector RBAC documentation and navigation improvements

- Added comprehensive log collector RBAC page with restricted and all mode configurations
- Updated logs section index to include log collector RBAC documentation
- Added direct links from collect-logs.md to specific YAML examples
- Configured proper navigation order (collect logs before RBAC)
- Each YAML example is in its own linkable subsection for direct referencing
- Includes complete RBAC configurations using existing embed files from content/embeds/k8s/
- Provides security considerations and troubleshooting guidance

Author: kaitlynmichael

content/operate/kubernetes/logs/_index.md

@@ -1,22 +1,28 @@
 ---
-Title: Redis Enterprise Software logs on Kubernetes
+Title: Logs
 alwaysopen: false
 categories:
 - docs
 - operate
 - kubernetes
-description: This section provides information about how logs are stored and accessed.
+description: Access and manage Redis Enterprise logs on Kubernetes for monitoring and troubleshooting.
 hideListLinks: true
 linkTitle: Logs
 weight: 60
 ---
 
-## Logs
+Access and manage Redis Enterprise logs on Kubernetes for monitoring, troubleshooting, and debugging your Redis Enterprise deployment. Logs provide valuable insights into cluster operations, database performance, and system health.
 
-Each redis-enterprise container stores its logs under `/var/opt/redislabs/log`.
-When using persistent storage this path is automatically mounted to the
-`redis-enterprise-storage` volume.
-This volume can easily be accessed by a sidecar, i.e. a container residing on the same pod.
+## Log collection and access
+
+Learn how to collect and access logs from your Redis Enterprise deployment:
+
+- [Collect logs]({{< relref "/operate/kubernetes/logs/collect-logs" >}}) - Methods for collecting logs from Redis Enterprise pods and containers
+- [Log collector RBAC]({{< relref "/operate/kubernetes/logs/log-collector-rbac" >}}) - RBAC configurations for log collection in restricted and all modes
+
+## Log storage and access
+
+Each Redis Enterprise container stores its logs under `/var/opt/redislabs/log`. When using persistent storage, this path is automatically mounted to the `redis-enterprise-storage` volume, making logs accessible through sidecar containers or external log collection tools.
 
 For example, in the REC (Redis Enterprise Cluster) spec you can add a sidecar container, such as a busybox, and mount the logs to there:
 

content/operate/kubernetes/logs/collect-logs.md

@@ -15,41 +15,31 @@ The Redis Enterprise cluster (REC) log collector script ([`log_collector.py`](ht
 
 As of version 6.2.18-3, the log collector tool has two modes:
 
-- **restricted** collects only resources and logs created by the operator and Redis Enterprise deployments
+- **[restricted]({{< relref "/operate/kubernetes/logs/log-collector-rbac#restricted-mode-rbac" >}})** collects only resources and logs created by the operator and Redis Enterprise deployments
   - This is the default for versions 6.2.18-3 and later
-- **all** collects everything from your environment
+- **[all]({{< relref "/operate/kubernetes/logs/log-collector-rbac#all-mode-rbac" >}})** collects everything from your environment
   - This is the default mode for versions 6.2.12-1 and earlier
 
 {{<note>}} This script requires Python 3.6 or later. {{</note>}}
 
 1. Download the latest [`log_collector.py`](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/log_collector/log_collector.py) file.
 
 1. Have a K8s administrator run the script on the system that runs your `kubectl` or `oc` commands.
+    - Pass `-n` parameter to run on a different namespace than the one you are currently on
+    - Pass `-m` parameter to change the log collector mode (`all` or `restricted`)
+    - Run with `-h` to see more options
 
     ```bash
-    python log_collector.py
+    python log_collector.py 
     ```
 
-## Options
+   {{< note >}} If you get an error because the yaml module is not found, install the pyYAML module with `pip install pyyaml`.
+  {{< /note >}}
 
-You can run `log_collector.py` with the following options:
 
-| Option | Description |
-|--------|-------------|
-| `-n`, `--namespace` | Sets the namespace(s) to collect from. Can be set to a single namespace, or multiple namespaces (comma-separated). When left empty, will use the current context's namespace from kubeconfig. |
-| `-o`, `--output_dir` | Sets the output directory. Defaults to current working directory. |
-| `-a`, `--logs_from_all_pods` | Collect logs from all pods in the selected namespace(s), and otherwise collect only from the operator and pods run by the operator. |
-| `-t`, `--timeout` | Time to wait for external commands to finish execution (Linux only). Default to 180s. Specify 0 to disable timeout. |
-| `--k8s_cli` | The K8s cli client to use (kubectl/oc/auto-detect). Defaults to auto-detect (chooses between 'kubectl' and 'oc'). Full paths can also be used. |
-| `-m`, `--mode` | Controls which resources are collected. In 'restricted' mode, only resources associated with the operator and have the label 'app=redis-enterprise' are collected. In 'all' mode, all resources are collected. Defaults to 'restricted' mode. |
-| `--collect_istio` | Collect data from istio-system namespace to debug potential problems related to istio ingress method. |
-| `--skip_support_package` | Disable collection of RS support package from Redis Enterprise nodes. |
-| `--collect_empty_files` | Collect empty log files for missing resources. |
-| `--helm_release_name` | Collect resources related to the given Helm release name. |
-| `--collect_rbac_resources` | Temporary development flag. Collect all role based access control related custom resources. |
-| `-h`, `--help` | Show help message and exit. |
-
-{{< note >}} If you get an error because the yaml module is not found, install the pyYAML module with `pip install pyyaml`.
-{{< /note >}}
 
 1. Upload the resulting `tar.gz` file containing all the logs to [Redis Support](https://support.redislabs.com/).
+
+## RBAC requirements
+
+The log collector requires specific RBAC permissions depending on the collection mode. See [Log collector RBAC]({{< relref "/operate/kubernetes/logs/log-collector-rbac" >}}) for complete YAML configurations for both restricted and all modes.

content/operate/kubernetes/logs/log-collector-rbac.md

@@ -0,0 +1,195 @@
+---
+Title: Log collector RBAC
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: RBAC configurations for Redis Enterprise log collector in all and restricted modes.
+linkTitle: Log collector RBAC
+weight: 90
+---
+
+This page provides YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool. The log collector requires different permission levels depending on the collection mode you choose.
+
+## Overview
+
+The Redis Enterprise log collector script helps gather diagnostic information for troubleshooting. It has two collection modes that require different RBAC permissions:
+
+- **Restricted mode**: Collects only Redis Enterprise-related resources and logs (default for versions 6.2.18-3+)
+- **All mode**: Collects comprehensive cluster information including non-Redis resources (default for versions 6.2.12-1 and earlier)
+
+## When to use each mode
+
+### Restricted mode (recommended)
+
+Use restricted mode when:
+- You want to minimize security exposure
+- Your organization has strict RBAC policies
+- You only need Redis Enterprise-specific troubleshooting data
+- You're running version 6.2.18-3 or later (default mode)
+
+### All mode
+
+Use all mode when:
+- You need comprehensive cluster diagnostics
+- Redis Support specifically requests additional cluster information
+- You're troubleshooting complex issues that may involve non-Redis resources
+- You're running version 6.2.12-1 or earlier (default mode)
+
+## Permission differences
+
+The key differences between the two modes:
+
+| Resource Category | Restricted Mode | All Mode |
+|------------------|----------------|----------|
+| **Cluster-level resources** | Limited | Full access |
+| **Node information** | ❌ No access | ✅ Full access |
+| **Storage classes** | ❌ No access | ✅ Full access |
+| **Volume attachments** | ❌ No access | ✅ Full access |
+| **Certificate signing requests** | ❌ No access | ✅ Full access |
+| **Operator resources** | ❌ No access | ✅ Full access |
+| **Istio resources** | ❌ No access | ✅ Full access |
+
+## Restricted mode RBAC
+
+Use restricted mode for minimal security exposure while still collecting essential Redis Enterprise diagnostics.
+
+{{<embed-md "k8s/log_collector_role_restricted_mode.md">}}
+
+### Restricted mode permissions
+
+The restricted mode provides access to:
+
+**Role permissions (namespace-scoped):**
+- **Pods and logs**: Read pod information and access container logs
+- **Pod exec**: Execute commands inside containers for diagnostics
+- **Core resources**: Access to services, endpoints, ConfigMaps, secrets, and storage resources
+- **Workload resources**: Read deployments, StatefulSets, DaemonSets, and jobs
+- **Redis Enterprise resources**: Full read access to all Redis Enterprise custom resources
+- **Networking**: Read ingress and network policy configurations
+- **OpenShift routes**: Read route configurations (for OpenShift environments)
+
+**ClusterRole permissions (cluster-scoped):**
+- **Persistent volumes**: Read cluster-wide storage information
+- **Namespaces**: Read namespace information
+- **RBAC**: Read cluster roles and bindings
+- **Custom resource definitions**: Read Redis Enterprise CRDs
+- **Admission controllers**: Read ValidatingWebhook configurations
+
+## All mode RBAC
+
+Use all mode when you need comprehensive cluster diagnostics or when specifically requested by Redis Support.
+
+{{<embed-md "k8s/log_collector_role_all_mode.md">}}
+
+### All mode additional permissions
+
+In addition to all restricted mode permissions, all mode provides:
+
+**Additional ClusterRole permissions:**
+- **Nodes**: Read cluster node information and status
+- **Storage classes**: Read storage class configurations
+- **Volume attachments**: Read volume attachment status
+- **Certificate signing requests**: Read certificate management information
+- **Operator resources**: Read OLM (Operator Lifecycle Manager) resources
+- **Istio resources**: Read Istio service mesh configurations
+
+## Role binding
+
+Bind the Role to your service account in each namespace where you want to collect logs.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: redis-enterprise-log-collector
+  namespace: <target-namespace>
+subjects:
+- kind: ServiceAccount
+  name: redis-enterprise-log-collector
+  namespace: <service-account-namespace>
+roleRef:
+  kind: Role
+  name: redis-enterprise-log-collector
+  apiGroup: rbac.authorization.k8s.io
+```
+
+## Cluster role binding
+
+Bind the ClusterRole to your service account for cluster-wide permissions.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: redis-enterprise-log-collector
+subjects:
+- kind: ServiceAccount
+  name: redis-enterprise-log-collector
+  namespace: <service-account-namespace>
+roleRef:
+  kind: ClusterRole
+  name: redis-enterprise-log-collector
+  apiGroup: rbac.authorization.k8s.io
+```
+
+## Usage
+
+Apply the appropriate RBAC configuration and role bindings, then run the log collector with the desired mode:
+
+```bash
+# Restricted mode (default for 6.2.18-3+)
+python log_collector.py -m restricted -n <namespace>
+
+# All mode
+python log_collector.py -m all -n <namespace>
+```
+
+## Security considerations
+
+### Principle of least privilege
+
+- **Start with restricted mode**: Use restricted mode unless you specifically need additional cluster information
+- **Limit namespace access**: Only grant permissions in namespaces where log collection is needed
+- **Time-bound access**: Consider creating temporary RBAC resources for log collection activities
+
+### Sensitive data handling
+
+Both modes collect:
+- **Secrets metadata**: Names and types of secrets (not the actual secret values)
+- **ConfigMap data**: Configuration information that may contain sensitive settings
+- **Pod logs**: Application logs that may contain sensitive information
+
+Ensure collected logs are handled according to your organization's data security policies.
+
+## Troubleshooting
+
+### Permission denied errors
+
+If you encounter permission errors:
+
+1. **Verify RBAC resources**: Ensure roles and bindings are applied correctly
+2. **Check service account**: Confirm the service account has the necessary bindings
+3. **Validate namespace access**: Ensure role bindings exist in target namespaces
+4. **Review mode requirements**: Verify you're using the correct mode for your needs
+
+### Missing resources
+
+If the log collector reports missing resources:
+
+1. **Check cluster role permissions**: Ensure ClusterRole is applied and bound
+2. **Verify CRD access**: Confirm access to Redis Enterprise custom resource definitions
+3. **Review mode selection**: Consider switching to all mode if additional resources are needed
+
+## Next steps
+
+- [Learn about log collection]({{< relref "/operate/kubernetes/logs/collect-logs" >}})
+- [Explore YAML deployment examples]({{< relref "/operate/kubernetes/reference/yaml-examples" >}})
+- [Configure monitoring]({{< relref "/operate/kubernetes/re-clusters/connect-prometheus-operator" >}})
+
+## Related documentation
+
+- [Collect logs guide]({{< relref "/operate/kubernetes/logs/collect-logs" >}})
+- [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
+- [Redis Enterprise troubleshooting]({{< relref "/operate/kubernetes/logs" >}})