Skip to main content
Calico Enterprise 3.19 (latest) documentation

Configure RBAC for Elasticsearch logs and events

Big picture

Configure fine-grained user access controls for flow logs, audit logs, DNS logs, and intrusion detection events.

Value

Security teams and auditors require Elasticsearch logs and associated reports. Teams responsible for threat defense (suspicious IPs and domains), may have different roles. When sharing a user interface, it is critical to provide fine-grained RBAC. Calico Enterprise lets you manage user access at the cluster, feature, and feature subset levels. For example, users without permissions to specific Elasticsearch resources (for example, DNS logs), will not see data displayed on pages that use the Elasticsearch resource.

Concepts

RBAC for logs and events

Elasticsearch resources are associated with the Kubernetes API group, lma.tigera.io. You can grant access to resources per cluster. The default cluster name for Calico Enterprise is, cluster. As shown in the following table, each Elasticsearch resource is mapped to a specific RBAC resource name within the lma.tigera.io API group. In Calico Enterprise Manager, Elasticsearch resources are called, indexes or indices.

Elasticsearch accessKubernetes RBAC resource nameDescription
tigera_secure_ee_flowsflowsAccess to indices with data for Flow logs.
tigera_secure_ee_audit*audit*Access to indices with data for both Calico Enterprise and Kubernetes audit logs. The UI currently uses this query for searching both Kubernetes and Calico Enterprise audit logs.
tigera_secure_ee_audit_eeaudit_eeAccess to indices with data for Calico Enterprise audit logs.
tigera_secure_ee_audit_kubeaudit_kubeAccess to indices with data for Kubernetes audit logs
tigera_secure_ee_eventseventsAccess to indices with data for Calico Enterprise intrusion detection events.
kibana_loginkibana_loginAllows an OIDC user to log in to Kibana and have read permissions for discover, visualize and dashboard.
superuserelasticsearch_superuserGrants superuser access for all Elastic related actions, which include Kibana user and license management.
tigera_secure_ee_l7l7Access to indices with data for L7 logs
note

Because the lma.tigera.io API group is used only for RBAC, and is not backed by an actual API, it does not provide access to any other Kubernetes resources.

Before you begin

Required

How to

Create access to a specific Elasticsearch resource

Create a ClusterRole with permissions to the resource using the table in the Concepts section. In this example, the ClusterRole named, audit-ee-only provides access to Calico Enterprise audit logs using the resourceNames: ["audit_ee"]. The apiGroups: ["lma.tigera.io"] is required.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: audit-ee-only
rules:
- apiGroups: ['lma.tigera.io']
resources: ['cluster']
resourceNames: ['audit_ee']
verbs: ['get']

Allow user access to a specific Elasticsearch resource

To allow a user access to a specific Elasticsearch resource, create a ClusterRoleBinding. In the following example, the ClusterRoleBinding allows user bob access only to the resource, Calico Enterprise audit logs (audit-ee-only).

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bob-es-access
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: audit-ee-only
apiGroup: rbac.authorization.k8s.io

Verify user access to a specific Elasticsearch resource

Create a SubjectAccessReview spec to verify user access to a specific Elasticsearch resource. In the SubjectAccessReview spec, set the following:

  • group: lma.tigera.io
  • resource: cluster
  • verb: get
  • resource: a Kubernetes RBAC resource name
  • user: username you are verifying
note

When verifying the audit* RBAC resource name (which accesses both Calico Enterprise and Kubernetes audit logs), create a SubjectAccessReview only on audit*; this provides the correct verification results. Do not create a SubjectAccessReview to query the individual audit_ee or audit_kube resources; results ("allowed: false") do not accurately reflect user access.

kubectl create -o yaml -f - <<EOF
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
spec:
resourceAttributes:
group: lma.tigera.io
resource: cluster
name: audit_ee
verb: get
user: bob
EOF

View the status and allowed fields to verify that the ClusterRoleBinding is doing what you expect. In this example, bob is allowed access (allowed: true) using the ClusterRoleBinding, "bob-es-access" for the audit-ee-only resource.

apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
metadata:
creationTimestamp: null
spec:
resourceAttributes:
group: lma.tigera.io
name: audit_ee
resource: cluster
verb: get
user: bob
status:
allowed: true
reason: 'RBAC: allowed by ClusterRoleBinding "bob-es-access" of ClusterRole "audit-ee-only"
to User "bob"'

Create access to all Elasticsearch resources

In a ClusterRole resource, set the field, resourceNames: [] to allow access to all Elasticsearch resources.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-all-es
rules:
- apiGroups: ['lma.tigera.io']
resources: ['cluster']
resourceNames: []
verbs: ['get']

Allow user access to all Elasticsearch resources

In this example, we create a binding that allows the user jane access to all Elasticsearch resources.

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jane-allow-all-es
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: allow-all-es
apiGroup: rbac.authorization.k8s.io

Verify user access to all Elasticsearch resources

To verify if a user has access to all Elasticsearch resources, create a SubjectAccessReview and set the name: field with an empty string, "" ("all").

kubectl create -o yaml -f - <<EOF
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
spec:
resourceAttributes:
group: lma.tigera.io
resource: cluster
name: ""
verb: get
user: bob
EOF

View the status and allowed fields to verify that bob cannot access any Elasticsearch resources (allowed: false).

apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
metadata:
creationTimestamp: null
spec:
resourceAttributes:
group: lma.tigera.io
resource: cluster
verb: get
user: bob
status:
allowed: false
reason: no RBAC policy matched

Additional resources