K8s: add log collector options

content/operate/kubernetes/logs/_index.md

@@ -1,22 +1,28 @@
 ---
-Title: Redis Enterprise Software logs on Kubernetes
+Title: Logs
 alwaysopen: false
 categories:
 - docs
 - operate
 - kubernetes
-description: This section provides information about how logs are stored and accessed.
+description: Access and manage Redis Enterprise logs on Kubernetes for monitoring and troubleshooting.
 hideListLinks: true
 linkTitle: Logs
 weight: 60
 ---
 
-## Logs
+Access and manage Redis Enterprise logs on Kubernetes for monitoring, troubleshooting, and debugging your Redis Enterprise deployment. Logs provide valuable insights into cluster operations, database performance, and system health.
 
-Each redis-enterprise container stores its logs under `/var/opt/redislabs/log`.
-When using persistent storage this path is automatically mounted to the
-`redis-enterprise-storage` volume.
-This volume can easily be accessed by a sidecar, i.e. a container residing on the same pod.
+## Log collection and access
+
+Learn how to collect and access logs from your Redis Enterprise deployment:
+
+- [Collect logs]({{< relref "/operate/kubernetes/logs/collect-logs" >}}) - Methods for collecting logs from Redis Enterprise pods and containers
+- [Log collector RBAC]({{< relref "/operate/kubernetes/logs/log-collector-rbac" >}}) - RBAC configurations for log collection in restricted and all modes
+
+## Log storage and access
+
+Each Redis Enterprise container stores its logs under `/var/opt/redislabs/log`. When using persistent storage, this path is automatically mounted to the `redis-enterprise-storage` volume, making logs accessible through sidecar containers or external log collection tools.
 
 For example, in the REC (Redis Enterprise Cluster) spec you can add a sidecar container, such as a busybox, and mount the logs to there:
 

content/operate/kubernetes/logs/collect-logs.md

@@ -15,9 +15,9 @@ The Redis Enterprise cluster (REC) log collector script ([`log_collector.py`](ht
 
 As of version 6.2.18-3, the log collector tool has two modes:
 
-- **restricted** collects only resources and logs created by the operator and Redis Enterprise deployments
+- **[restricted]({{< relref "/operate/kubernetes/logs/log-collector-rbac#restricted-mode-rbac" >}})** collects only resources and logs created by the operator and Redis Enterprise deployments
   - This is the default for versions 6.2.18-3 and later
-- **all** collects everything from your environment
+- **[all]({{< relref "/operate/kubernetes/logs/log-collector-rbac#all-mode-rbac" >}})** collects everything from your environment
   - This is the default mode for versions 6.2.12-1 and earlier
 
 {{<note>}} This script requires Python 3.6 or later. {{</note>}}
@@ -39,3 +39,7 @@ As of version 6.2.18-3, the log collector tool has two modes:
 
 
 1. Upload the resulting `tar.gz` file containing all the logs to [Redis Support](https://support.redislabs.com/).
+
+## RBAC requirements
+
+The log collector requires specific RBAC permissions depending on the collection mode. See [Log collector RBAC]({{< relref "/operate/kubernetes/logs/log-collector-rbac" >}}) for complete YAML configurations for both restricted and all modes.

content/operate/kubernetes/logs/log-collector-rbac.md

@@ -0,0 +1,116 @@
+---
+Title: Log collector RBAC
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: RBAC configurations for Redis Enterprise log collector in all and restricted modes.
+linkTitle: Log collector RBAC
+weight: 90
+---
+
+This page provides YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool. The log collector requires different permission levels depending on the collection mode you choose.
+
+## Overview
+
+The Redis Enterprise log collector script helps gather diagnostic information for troubleshooting. It has two collection modes that require different RBAC permissions:
+
+- **Restricted mode**: Collects only Redis Enterprise-related resources and logs (default for versions 6.2.18-3+)
+- **All mode**: Collects comprehensive cluster information including non-Redis resources (default for versions 6.2.12-1 and earlier)
+
+## Collection modes
+
+- **Restricted mode** (recommended): Collects only Redis Enterprise resources with minimal security exposure. Default for versions 6.2.18-3+.
+- **All mode**: Collects comprehensive cluster information including nodes, storage classes, and operator resources. Use when specifically requested by Redis Support.
+
+## RBAC configurations
+
+### Restricted mode
+
+{{<embed-md "k8s/log_collector_role_restricted_mode.md">}}
+
+### All mode
+
+{{<embed-md "k8s/log_collector_role_all_mode.md">}}
+
+{{< note >}}
+For the complete list of resources and permissions required by each mode, refer to the role definitions in the YAML files above.
+{{< /note >}}
+
+## Applying RBAC configurations
+
+### Quick deployment
+
+Apply the RBAC configuration directly from the GitHub repository:
+
+```bash
+# For restricted mode (recommended)
+kubectl apply -f https://github.com/RedisLabs/redis-enterprise-k8s-docs/raw/master/log_collector/log_collector_restricted_mode_role.yaml \
+  --namespace <namespace>
+
+# For all mode
+kubectl apply -f https://github.com/RedisLabs/redis-enterprise-k8s-docs/raw/master/log_collector/log_collector_role_all_mode.yaml \
+  --namespace <namespace>
+```
+
+### Namespace requirements
+
+The Role and RoleBinding must be created in every namespace where you need to collect logs. This varies based on your deployment model:
+
+- **Single namespace**: Apply to the namespace where Redis Enterprise runs
+- **Multi-namespace with single REC**: Apply to the REC namespace plus each REDB namespace
+- **Multi-namespace with multiple RECs**: Apply to each REC namespace
+
+The ClusterRole and ClusterRoleBinding need to be created only once per cluster.
+
+{{< note >}}
+Each YAML file contains both Role and ClusterRole objects. Running `kubectl apply` installs both components. You can safely run the command multiple times with different namespaces.
+{{< /note >}}
+
+### Manual deployment
+
+If you prefer to apply the configurations manually, save the YAML content to local files and apply them:
+
+```bash
+# Save the YAML content to a file
+kubectl apply -f log-collector-rbac.yaml --namespace <namespace>
+```
+
+## Usage
+
+After applying the RBAC configuration, run the log collector:
+
+```bash
+# Restricted mode (default for 6.2.18-3+)
+python log_collector.py -m restricted -n <namespace>
+
+# All mode
+python log_collector.py -m all -n <namespace>
+```
+
+## Security considerations
+
+- **Use restricted mode** unless you specifically need additional cluster information
+- **Limit namespace access** to only where log collection is needed
+- **Handle collected data** according to your organization's security policies (logs may contain sensitive information)
+
+### Secrets permission explanation
+
+The RBAC configurations request read access to secrets in the collected namespaces. **Secrets are not collected or included in the log package sent to Redis Support.** This permission is required because:
+
+- The log collector uses Helm commands (`helm list`, `helm get all`) to gather information about Redis Enterprise Helm chart deployments
+- Helm stores its deployment metadata in Kubernetes secrets
+- For Redis Enterprise charts, this metadata contains only deployment configuration (not sensitive data), but follows Helm's standard storage pattern
+
+If your security policies prohibit secrets access, you can remove the secrets permission from the Role, but this will limit the log collector's ability to gather Helm deployment information.
+
+## Troubleshooting
+
+If you encounter permission errors, verify that roles and bindings are applied correctly in the target namespaces. For missing resources, ensure the ClusterRole is applied and consider switching to all mode if additional resources are needed.
+
+## Related documentation
+
+- [Collect logs guide]({{< relref "/operate/kubernetes/logs/collect-logs" >}})
+- [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
+- [Redis Enterprise troubleshooting]({{< relref "/operate/kubernetes/logs" >}})