Question: Exposing Graylog to the internet


In the IAM Kubernetes cluster all application and services logs are sent to Graylog where they are processed and divided into streams. Developers and Administrators need to browse the logs to see the status of the applications running in the cluster.
Graylog has built-in support for managing users and roles, where one can define for example a “sso-dev” role. A user with that role will be able to see the logs from the sso-dashboard application, but not other logs. So once the user is logged in, we can define the level of access with granularity.

Currently Graylog is not exposed to the internet, and the only way to browse its UI is to use kubectl port-forward. This was ok for the beginning, but as we move on, we want to make this service easier to access (and faster).

I’m looking for your input and your expertise for figuring out how to expose it to the internet. I have two ideas, but I’m generally open to anything.

  • Deploy a Mozila OIDC AccessProxy in front of Graylog and integrate it with the Graylog plugin for SSO. Once this is done we could expose Graylog to the internet using an Ingress rule, and create a DNS record for it.

  • Expose Graylog to an internal IP in the cluster, and create a VPN which allows us to reach that IP. After that, we could still use the OIDC proxy, or manage users manually.

I’d prefer to use the first solution, as it is simpler to manage. But I’m also concern because the information contained there is sensitive: all logs from all services running in the cluster.

What do you think?
@kang @gene-2012-2024 @akrug @ericz @dhartnell

SSO is good enough for our most sensitive properties so I think that should work nicely here and be sufficiently secure for giving it a public IP.

I agree with Eric. I started to think about similar tools at Mozilla and Nubis exposes Kibana (with similar data) to the internet with SSO to restrict access.