Showing results for 
Show  only  | Search instead for 
Did you mean: 

Separate multi-tenant log data with management zones

Separate log data with management zones


Currently we separate tenants on our kubernetes platform using management zones.
Each tenant can have multiple namespaces and are prefixes with the tenant name.
For example tenant1-namespace1, tenant1-namespace2, tenant2-namespace1.
A tenant represents a proces group that is tied to a management zone, policy and one or more synced (SSO) SCIM Active Directory groups.
We're using Container groups (Process group naming) to make process group tenant1 with all workloads (tenant1-namespace1, tenant1-namespace2)
Each tenant (dt.entity.process_group_instance) has their own process group (tenant1) and their own management zone (tenant1).
This works perfectly.


Now we also want to isolate the log data between tenants. So each tenant should only see their own logs.
The can share data (like logs and dashboards), but primarily they should only see the logs of their own workload and the underlying platform.


The problem is that it looks like the logviewer doesn't seem to be able to filter on management zones or on dt.entity.process_group_instance or any other field
and separate them between tenants/users
So the tenant sees all logs of all other tenants on the whole platform, or no logs at all.
How can we tackle this?
Other platforms support this. The method of log ingestion is API, Fluentd or Oneagent itself but this is not really relevant in this case. We have plenty of ways to isolate the tenant using fields like dt.entity.process_group_instance or labels in Kubernetes or the payload itself.


Our approach:
We now have the following policy for logging on each tenant that looks like this:
ALLOW storage:buckets:read;
ALLOW storage:system:read,
ALLOW environment:roles:viewer WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW environment:roles:logviewer WHERE environment:management-zone = "tenant1-mgmtzone";


What we want is something like this, but that doesn't seem to work:
ALLOW storage:system:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:events:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:buckets:read WHERE storage:table-name = "tenant1-mgmtzone";
ALLOW storage:metrics:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:entities:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:bizevents:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW storage:spans:read WHERE environment:management-zone = "tenant1-mgmtzone";
ALLOW environment:roles:viewer WHERE environment:management-zone = "tenant1-mgmtzone";


Logs and events, advantaged mode using Grail

Hi, its more about data ownership. That the people in one management zone can only read their own data (logdata) regardless of the form of the data. In our case this is json and syslog compatible logging, but that is only important for processing.


We've made a feature request and we are investigating some new possibilities:


Hello PeterR, 
 Is this something you are looking for? 
The source: 

Hi, unfortunately no. In Kubernetes, tenants are separated by data ownership on a application level like namespaces, labels and annotations. Not underlying hosts. Pods and containers share underlying hosts. It's an abstraction layer so to speak. But thanks for your reply.


Hello all.

I think this should be a new idea. Filter logs based on Management Zone.

Featured Posts