An Org serves as a tightly isolated bounded context that encompasses all the resources managed by Control Plane. These resources comprise domains, images, workloads, GVCs, users, groups, service accounts, and more.
It’s possible for a physical organization, to create multiple ‘orgs,’ although this is not mandatory. Creating multiple orgs can be beneficial in order to establish complete isolation between environments, for instance.
Refer to the Create an Org guide.
A user can be a member of one or more Orgs.
>
to the right of the current org.Control Plane offers the ability to ship all Org logs to an external provider.
Please click here for additional details and configuration instructions.
All orgs are setup with a random endpoint prefix. It can be found at {org}.status.endpointPrefix
.
These are used in the workload canonical endpoint and can be configured by the gvc.
OpenTelemetry traces are supported and can be configured with the native Control Plane
tracing provider or sent to an OpenTelemetry collector endpoint by using the OpenTelemetry
tracing provider.
The Control Plane tracing provider is the default method for collecting OpenTelemetry traces. They will be accessible for exploration using Grafana by accessing Metrics
in the sidebar menu of the Console.
To enable traces using the Console, navigate to your GVC, click on Tracing
, and choose Control Plane
as the metric provider. Then, configure the sampling percentage and, optionally, the Custom Tags.
Here is an example of a GVC with enabled tracing:
Similarly, traces can be sent to an OTEL collector endpoint using the OpenTelemetry
tracing provider.
For details, see the Online Boutique example.
The retention period for logs, metrics and traces defaults to 30 days and can be adjusted for each independently.
Charges apply for combined storage of logs, metrics and traces over 100GB calculated by GB-Month.
Control Plane provides real-time threat detection and alerting by inspecting syscalls of all running workloads using Falco.
There is no action required to enable threat detection, metrics are collected for each detected threat and are used to send notifications.
Threat alert notifications include the GVC, Workload, rule that triggered the alert and priority of the alert.
If Syslog forwarding of threat details is required, it can be confgured in the Org settings.
The following list of threats or attempted activities will trigger an alert at the specified severity levels.
Metrics used for threat alerts are stored in the threat_detection_alerts
time series.
Labels for this metric are as follows:
warning
will be alerted by defaultthreat_detection_forward_enable
is set to 1 when Syslog forwarding of alerts is enabled.
threat_detection_forward_total
is provides a total of all threat events sent to the Syslog target.
The console UI will automatically sign out if inactive for 15 minutes. This timeout duration is the default setting (for PCI compliance) and can be modified.
This timeout setting (in seconds) can be adjusted from the Info
page when clicking on the Org
link from the left menu.
The permissions below are used to define policies together with one or more of the four principal types:
Permission | Description | Implies |
---|---|---|
edit | Modify org | view |
exec | Grantees can execute all commands on the org | exec.echo |
exec.echo | Grantees can execute the echo command | |
grafanaAdmin | Grantees are made Admin in Grafana, otherwise the role ‘Viewer’ is assigned | |
manage | Full access | edit, exec, exec.echo, grafanaAdmin, manage, readLogs, readMetrics, readUsage, view, viewAccessReport |
readLogs | Grantees can read logs from all workloads | view |
readMetrics | Grantees can access usage and performance metrics | |
readUsage | Grantees can access usage and billing metrics | |
view | Read-only view: every org member can view their org | |
viewAccessReport | Grantees can inspect the granted access report on all resources within the org |
Displays the permissions granted to principals for the Org.
To view the CLI documentation for an Org, click here.