Create a service account and save the token
Install the log socket service
helm install log-socket Logging-with-RBAC/log-socket
kubectl create sa alice
export ALICE_TOKEN=$(kubectl get secret $(kubectl get sa alice -o=jsonpath='{.secrets[0].name}') -o=jsonpath='{.data.token}' | base64 -D)
kubectl create sa bob
export BOB_TOKEN=$(kubectl get secret $(kubectl get sa bob -o=jsonpath='{.secrets[0].name}') -o=jsonpath='{.data.token}' | base64 -D)
Add policy label to the Pod
helm upgrade foo LetsHelpBob/log-generator --set extraLabels.rbac/default_alice=allow
helm install bar LetsHelpBob/log-generator --set extraLabels.rbac/default_bob=allow --set extraLabels.rbac/default_alice=allow
Tail the flow
./k8stail flow default/geoip-flow --token $ALICE_TOKEN 2>/dev/null | jq -r 'if .kubernetes != null then "[ALICE]: \(.kubernetes.pod_name)" else "[ALICE]: \(.error)" end'
./k8stail flow default/geoip-flow --token $BOB_TOKEN 2>/dev/null | jq -r 'if .kubernetes != null then "[BOB]: \(.kubernetes.pod_name)" else "[BOB]: \(.error)" end'
kubectl get logging-all
kubectl get output geoip-flow-tailer -o yaml|yq
kubectl get flow geoip-flow -o yaml|yq
Get all object that I can grab log from
kubectl get po -l rbac/default_alice=allow -A
helm upgrade bar LetsHelpBob/log-generator --set extraLabels.rbac/default_bob=allow --set extraLabels.rbac/default_alice=deny