How to view project log data within multi-tenant logging

You can only view the log data for a Project to which you have been granted access.

Access Project Grafana’s UI

Run the following commands on the management cluster:

  1. Determine the namespace of the workspace that your project is in. You can use the dkp get workspaces command to see the list of workspace names and their corresponding namespaces.

    dkp get workspaces

    Copy the value under the NAMESPACE column for your workspace.

  2. Export the WORKSPACE_NAMESPACE variable:

  3. Execute the following command to get the namespace of your project

    kubectl get projects -n ${WORKSPACE_NAMESPACE}

    Copy the value under PROJECT NAMESPACE column for your project. This may NOT be identical to the Display Name of the Project.

  4. Export the PROJECT_NAMESPACE variable:


    Run the following commands on the attached cluster to access the Project Grafana’s UI:

    Ensure you switched to the correct context or kubeconfig of the attached cluster for the following kubectl commands:

  5. Get the Grafana URL:

    kubectl get ingress -n ${PROJECT_NAMESPACE} ${PROJECT_NAMESPACE}-project-grafana-logging -o go-template='https://{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}{{with index .spec.rules 0}}{{with index .http.paths 0}}{{.path }}{{end}}{{end}}{{"\n"}}'

View Logs in Grafana

  1. Go to the Explore tab:

    kubectl get ingress -n ${PROJECT_NAMESPACE} ${PROJECT_NAMESPACE}-project-grafana-logging -o go-template='https://{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}{{with index .spec.rules 0}}{{with index .http.paths 0}}{{.path }}{{end}}{{end}}/explore{{"\n"}}'
  2. You may be prompted to log in using the SSO flow. See Authentication and Authorization for more information.

  3. At the top of the page, change the data source to Loki.

See the Grafana Loki documentation for more on how to use the interface to view and query logs.

View Grafana Loki Logs

Cert-Manager and Traefik must be deployed in the attached cluster to be able to access the Grafana UI. These are deployed by default on the workspace.

You can configure workspace policy to restrict access to the Project logging Grafana UI. Each Grafana instance in a Project has a unique URL at the cluster level. Consider creating a WorkspaceRoleBinding that maps to a ClusterRoleBinding, on attached cluster(s), for each Project level Grafana instance. For example, If you have a group named sample-group and two projects named first-project and second-project in sample-workspace workspace, then the Role Bindings look similar to the following:

Project Grafana Workspace Role Binding

Select the correct role bindings for each group for a project at the workspace level.