Menu
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Monitor infrastructurebreadcrumb arrow Kubernetes Monitoringbreadcrumb arrow Configure Kubernetes Monitoringbreadcrumb arrow Control access
Grafana Cloud

Control access with LBAC using namespace label

You can use Label-Based Access Control (LBAC) to limit access in Kubernetes Monitoring to an individual team by using any Prometheus label that exists on the Kubernetes metrics. The following are steps to use the namespace label. In this way, a team’s namespace can access only the metrics and logs they are responsible for, including viewing alerts and performing analysis and troubleshooting.

To accomplish LBAC, you create a cloud access policy and token that is assigned to the namespace that needs limited access. When you create the access policy token, Grafana Cloud creates a logical segmentation of logs and metrics in the Cloud Logs and Prometheus databases. Members of the team then have access only to those logs and metrics.

The following diagram shows two access polices with their tokens have been created for two separate teams.

Diagram of two team namespaces with access only to their specific metrics and logs
Diagram of two team namespaces with access only to their specific metrics and logs

The major steps to create one access policy per namespace are:

  1. Remove default data source permissions.
  2. Create a namespace.
  3. Create or sync the team.
  4. Create the access policy for the namespace.
  5. Create the access policy token.
  6. Assign team to data source.
  7. Select the data source for the namespace in Kubernetes Monitoring.

Remove default data source permissions

Remove the default Editor and Viewer permissions that apply to the cloud Prometheus and logs data sources. This prevents everyone being able to access all the data.

  1. In the Grafana Cloud portal of your stack, expand Connections on the main menu.
  2. Select Data sources
  3. Select the default data source.
  4. Click the Permissions tab.
  5. Delete the Editor role by selecting the X at the end of the row.
  6. Delete the Viewer role by selecting the X at the end of the row.
    A list of roles and their permissions for the data source
    A list of roles and their permissions for the data source

Create a namespace

Create a new namespace.

Sync or create the team

If you have already created a team using a third party, refer to Configure team sync.

If you have not created a team, create the team in Grafana Cloud, and add the appropriate team members.

Create an access policy for the namespace

Create an access policy for the namespace.

  1. In the Grafana Cloud portal of your stack, expand Administration in the main menu.
  2. Select Users and access on the menu.
  3. At the Users and access page, click Cloud access policies.
  4. Click Create access policy.
  5. In the Create new access policy window, enter the following:
    1. Display name: Enter a name for the policy.
    2. Scopes: Select Read for metrics and logs.
    3. Label selectors:
      • Click Add label selector and add the following, changing the name of your namespace:
        { namespace = “mynamespace” }
      • Click Add label selector, then copy and paste the following in the label selector field:
        {cluster!="", __name__=~"kubecost_cluster_info|node_total_hourly_cost|pod_pvc_allocation|cluster:namespace:pod_cpu.active:kube_pod_container_resource_requests|node_cpu_hourly_cost|kube_node_.*|machine_.*"}
  6. Click Create to create the policy.
Fields completed for **Create new access policy** window
Fields completed for Create new access policy window

Create access policy token

Create an access policy token for the access policy. As part of this process, you create data sources within the logs and metrics data sources that are available in Grafana Cloud. These custom data sources segmented areas of the two underlying databases, and they are specifically for the team associated with the namespace.

  1. In the Cloud access policies page, find the access policy you created.
  2. Click Add token.
  3. In the Create new token window, enter the name of the token, and click Create.
  4. In the Token successfully added window:
    1. Click Create data source for both the Prometheus and Logs data sources. Grafana generates each data source that will be available only with this access policy token.
    2. Click Copy to clipboard to copy the token.
    3. Paste the token into a file in a safe place.

Assign the team to the custom data sources

Change the permissions of the custom data sources that Grafana generated for the access policy token, and add the team to the new data sources.

In the Token successfully added window, complete the following steps for the Cloud Prometheus and Cloud Logs data sources.

  1. Click the Data source settings link next to the data source to open its settings.
  2. Select the Permissions tab.
  3. Delete the Viewer and Editor roles.
  4. Click Add a permission.
  5. In the drop-down menu, select Team.
  6. Select the team.
  7. Leave the Query permission selected.
  8. Click Save.

Choose the data source in Kubernetes Monitoring

Now team members can use the data source picker to view the data source for their namespace and view the data available to them.

Data source picker in Kubernetes Monitoring showing a custom data source
Data source picker in Kubernetes Monitoring showing a custom data source