Org (Organization)

Overview

Refer to the org concepts page.

Create an Org

Refer to the Create an Org guide.

Multiple Orgs

A user can be a member of one or more Orgs.

  • To switch between Orgs from the console:
    • Click on the profile dropdown in the upper right corner.
    • Click on the Org dropdown menu.
    • Click on the desired Org.

External Logging

Control Plane offers the ability to ship all Org logs to one of the following providers:

  1. Amazon S3
  2. Coralogix
  3. Datadog
NOTE

When shipping logs to an external provider, all logs will still be available using Control Plane.

For the logs stored at Control Plane, refer to this page for the current log retention policy.

Log shipping can only be configured to one of the external providers, but this setting can be modified at any time.

S3

To configure log shipping to S3, an AWS Secret must be created.

Follow these steps to create the Secret and configure external logging:

  1. Refer to these instruction to create a new AWS IAM user in your AWS account.

    • Select Programmatic access when creating the user and take note of the Access and Secret Key.
  2. This user, at a minimum, must have an associated policy with the s3:PutObject action.

Sample AWS Policy (substitute S3_BUCKET_NAME):

copy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"
}
]
}
  1. From the Control Plane Console UI, click Secrets from the left menu.
  2. Click the New button.
  3. Enter a Name for the secret, and select AWS from the Secret Type list.
  4. Enter the Access Key and Secret Key and click Save.
  5. This secret can now be used when configuring logging using the UI or CLI.
  6. After the configuration is complete, log files will be available at S3 within a few minutes.

Coralogix

To configure log shipping to Coralogix, an Opaque Secret must be created that contains a Coralogix API Key.

Follow these steps to obtain the API Key, create the Secret, and configure external logging:

  1. From the Coroalogix Dashboard, click the Data Flow link (in the header), then click the API Keys link.
  2. Generate and/or copy the Send Your Data API Key.
  3. From the Control Plane Console UI, click Secrets from the left menu.
  4. Click the New button.
  5. Enter a Name for the secret, and select Opaque from the Secret Type list.
  6. Paste the string from step #2 into the content text box and click Save.
  7. This secret can now be used when configuring logging using the UI or CLI.
  8. After the configuration is complete, log entries will be available at Coralogix within a few minutes.

Datadog

To configure log shipping to Datadog, an Opaque Secret must be created that contains a Datadog API Key.

Follow these steps to obtain the API Key, create the Secret, and configure external logging:

  1. From the Datadog Dashboard, hover over your username at the bottom of the left menu and click Organization Settings.
  2. In the middle menu, click API Keys.
  3. Click the New Key button in the upper right corner, enter a key name, and click Create Key.
  4. Click the Copy Key button. This will copy the key to your clipboard. Click the X to close the modal.
  5. From the Control Plane Console UI, click Secrets from the left menu.
  6. Click the New button.
  7. Enter a Name for the secret, and select Opaque from the Secret Type list.
  8. Paste the string from step #4 into the content text box and click Save.
  9. This secret can now be used when configuring logging using the UI or CLI.
  10. After the configuration is complete, log entries will be available at Datadog within a few minutes.

Enable External Logging using the UI Console

  1. From the Control Plane Console UI, click on Org in the left menu.
  2. Click External Logs in the middle context menu.
  3. Select S3, Coralogix, or Datadog and fill out the required fields.
TIP

For Coralogix, the cluster name will be the same domain name that resolves when using the Coralogix dashboard.

For Datadog, the hostname will be similar to the domain name that resolves when using the Datadog dashboard. (i.e., The host http-intake.logs.us3.datadoghq.com maps to the dashboard domain us3.datadoghq.com)

TIP

For S3, the prefix will be the folder where the logs will be written.

The folder structure will follow the format:

`PREFIX/ORG_NAME/YEAR/MONTH/DAY/HOUR/MINUTE/LOG_FILE.jsonl

The .jsonl file will contain ~1-3k of single line log entries in JSON.

Each entry will contain the following keys:

  • time
  • log
  • location,
  • version
  • provider
  • container
  • replica
  • workload
  • gvc
  • org
  • stream
  1. Click Save.

Enable External Logging using the CLI

The external logging configuration can be created / updated using the CLI's cpln org patch ORG_NAME -f FILE.yaml command.

Below are example Org manifests (in YAML). Save the YAML as a file and it can be used as input to the CLI's cpln org patch ORG_NAME -f FILE.yaml command.

Configure S3 Logging (substitute ORG_NAME, S3_BUCKET_NAME, AWS_SECRET, and AWS_REGION)

copy
kind: org
name: ORG_NAME
spec:
logging:
s3:
bucket: S3_BUCKET_NAME
credentials: //secret/AWS_SECRET
prefix: /
region: AWS_REGION

Configure Coralogix Logging (substitute ORG_NAME, OPAQUE_SECRET, and possibly the cluster)

Note: Use the cluster URL that matches your Coralogix account. The cluster will be the same domain name that resolves when using the Coralogix dashboard.

copy
kind: org
name: ORG_NAME
spec:
logging:
coralogix:
cluster: coralogix.com
credentials: //secret/OPAQUE_SECRET

Configure Datadog Logging (substitute ORG_NAME, OPAQUE_SECRET, and possibly the host)

Note: Use the host URL that matches your Datadog account. The host will be a similar domain name that resolves when using the Datadog dashboard.

copy
kind: org
name: ORG_NAME
spec:
logging:
datadog:
host: http-intake.logs.us3.datadoghq.com
credentials: //secret/OPAQUE_SECRET

Permissions

The permissions below are used to define policies together with one or more of the four principal types:

PermissionDescriptionImplies
editModify orgview
grafanaAdminGrantees are made Admin in Grafana, otherwise the role 'Viewer' is assigned
manageFull accessedit, grafanaAdmin, manage, readLogs, readMetrics, readUsage, view, viewAccessReport
readLogsGrantees can read logs from all workloadsview
readMetricsGrantees can access usage and performance metrics
readUsageGrantees can access usage and billing metrics
viewRead-only view: every org member can view their org
viewAccessReportGrantees can inspect the granted access report on all resources within the org

Access Report

Displays the permissions granted to principals for the Org.

CLI

To view the CLI documentation for an Org, click here

Copyright © 2022 Control Plane Corporation. All rights reserved. Revision ca7f7cfc
Contents