17 Jul 2023 09:17 AM - last edited on 19 Apr 2024 12:12 PM by Michal_Gebacki
Solved! Go to Solution.
18 Jul 2023 04:57 PM
Hi, its more about data ownership. That the people in one management zone can only read their own data (logdata) regardless of the form of the data. In our case this is json and syslog compatible logging, but that is only important for processing.
02 Aug 2023 10:18 AM
We've made a feature request and we are investigating some new possibilities:
https://community.dynatrace.com/t5/Product-ideas/opt-in-logging-using-kubernetes-labels/idi-p/219533
08 Aug 2023 10:26 PM - last edited on 29 Jul 2024 10:34 AM by Michal_Gebacki
Hello PeterR,
Is this something you are looking for?
09 Aug 2023 09:17 AM - edited 09 Aug 2023 09:18 AM
Hi, unfortunately no. In Kubernetes, tenants are separated by data ownership on a application level like namespaces, labels and annotations. Not underlying hosts. Pods and containers share underlying hosts. It's an abstraction layer so to speak. But thanks for your reply.
13 Jun 2024 10:00 AM
Hello all.
I think this should be a new idea. Filter logs based on Management Zone.
31 Jul 2024 02:24 PM - last edited on 27 Sep 2024 02:57 PM by Michal_Gebacki
Hi, We have the following workaround to achieve this.
It took a long time to figure this out.
For the record: We use Capsule in Kubernetes to separate teams
fetch logs //, scanLimitGBytes: 500, samplingRatio: 1000
| sort timestamp desc
| filter matchesValue(dt.security_context, "YOURTEAM")
| filter matchesValue(loglevel, "INFO")
Step 6 IAM policy
Each team needs to have the following IAM policy, named YOURTEAM-policy. Note that you only need 2 buckets. Security contexts will do the multi-tenancy (YOURTEAM splitting)
Each team needs to have the following IAM policy, named YOURTEAM-policy
ALLOW environment:roles:viewer WHERE environment:management-zone = "YOURTEAM";
ALLOW storage:buckets:read WHERE storage:bucket-name = "YOUR_ORGANISATION_log-storage-7";
ALLOW storage:buckets:read WHERE storage:bucket-name = "YOUR_ORGANISATION_log-storage-30";
ALLOW storage:metrics:read WHERE storage:k8s.namespace.name STARTSWITH "YOURTEAM";
ALLOW storage:logs:read WHERE storage:dt.security_context = "YOURTEAM";
ALLOW platform-management:tenants:write;
ALLOW storage:buckets:read WHERE storage:bucket-name = "default_logs";
ALLOW storage:buckets:read WHERE storage:table-name = "metrics";
ALLOW app-engine:apps:run, app-engine:functions:run;
ALLOW automation:workflows:read, automation:rules:read, automation:calendars:read;
ALLOW document:documents:read, document:documents:write, document:documents:delete, document:environment-shares:read, document:environment-shares:write;
ALLOW document:environment-shares:claim, document:environment-shares:delete, document:direct-shares:read, document:direct-shares:write, document:direct-shares:delete;
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete, state:user-app-states:read;
ALLOW state:user-app-states:write,state:user-app-states:delete, app-settings:objects:read;
ALLOW hub:catalog:read;
ALLOW environment:roles:manage-settings WHERE environment:management-zone = "YOURTEAM";
ALLOW environment:roles:logviewer WHERE environment:management-zone = "YOURTEAM";
ALLOW storage:entities:read;
Step 7 Terraform everything
Optional but recommended!! Export these settings for YOURTEAM to terraform code with terraform --export (See Dynatrace docs) and create this for 50+ teams to realize full multitenancy for Kubernetes