K
Q

Kubernetes Multitenanacy - We are azure enterprise customer want to fetch logs specific to AKS Namespaces into Log Analytics

3/1/2020

Question on Kubernetes(AKS) Multitenanacy - We are azure enterprise customer want to fetch logs specific to AKS Namespaces into Log Analytics, please suggest best method to achieve this

-- The Azure Guy
azure-aks
kubernetes
multi-tenant

Similar Questions

Is there a toleration which lets a workload get deployed to every node including master in the kubernetes cluster
Camel K: How can i define a datasource, which can be used in the Camel K JDBC Component or the Camel K SQL Component?
kube proxy servcie dead unexpectly in kubenetes host machine
java.io.IOException: failed to obtain lock on /usr/share/elasticsearch/data/nodes/0 when start k8s elasticsearch cluster pod

2 Answers

3/16/2020

Log messages from AKS cluster are stored in the same table set for all namespaces, therefore permission model doesn't allow you to limit access to records with specific namespace value.

I can imagine two ways to separate logs, based on a namespace name:

  1. Develop a front-end page (or adapt one of the existing solutions) for each tenant and fill it with data returned by predefined Azure Monitor log query which filter messages based on namespace value. This way each tenant will get only log messages related to his own namespace.

  2. Implement independent from Azure services EFK deployment for each namespace and configure fluent-bit sidecar to send logs to log aggregator in the same namespace. This way each tenant can control what kind of data and in which format he wants to see by configuring his own Kibana dashboards.

Prometheus is not designed to store logs, but metrics.

-- VAS
Source: StackOverflow
3/2/2020

An important aspect of multi-tenancy is having multi-tenancy at a layer above kubernetes cluster – so that your DevOps and developers can have one or more clusters belonging to different users or teams of users within your organization. This concept isn’t built into Kubernetes itself. Platform9 supports this by adding a layer of multi-tenancy on top of Kubernetes via the concept of ‘regions’ and ‘tenants’. A region in Platform9 maps to a geographical location. A tenant can belong to multiple regions. A group of users can be given access to one or more tenants. Once in a tenant, the group of users can create one or more clusters, that will be isolated and accessible only to the users within that tenant. This provides separation of concerns across different teams and departments.

I advice you to create block traffic between specific namespaces. Many Kubernetes deployments allow network communication between namespaces. If you need to support multiple tenants, you’ll want to change this in order to add isolation to each namespace.

You can do this using Network Policies. Here’s an example Network Policy file that will block traffic from external namespaces:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-namespace-traffic-example
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

After creating the file, apply with below command:

$ kubectl apply -f example-network-policy.yaml -n=your-namespace

For AKS Log Analytics may be your log aggregator of choice. You will need a way to export your container logs into Log Analytics. You can deploy the Azure Monitor solution which does this for you, however, if you are running your own cluster, or even using another cloud provider and still want to use Log Analytics, then that it's not quite so simple. That is why more and more is using Fluent Bit.

Take a look on useful articles: multi-tenancy-kubernetes, network-policies.

Please let me know if it helps.

-- MaggieO
Source: StackOverflow