Why This Matters

Syslog gets your logs off the cluster. What it does not give you is a fast, interactive way to ask questions about them while you are debugging. Tailing a forwarded log file or writing a query against a SIEM is useful for forensics, not for active troubleshooting where you are iterating quickly.

LokiStack brings structured log querying into the cluster. You can filter by namespace, label, pod name, log level, or any combination — and because LokiStack runs in openshift-logging tenancy mode, it enforces OpenShift RBAC automatically. Users can only query logs from namespaces they already have access to.

Grafana connects to LokiStack as a datasource and gives you the Explore view: live log tailing, label-based filtering, and histogram overlays over time. It is worth slowing down to set this up properly — once it is in place, it changes how you investigate problems in the cluster.

The Steps

1. Install the Red Hat Loki Operator into a dedicated namespace, and the community Grafana Operator into its own
2. Provision an S3 bucket via OpenShift Data Foundation and deploy a LokiStack backed by it
3. Deploy Grafana with a ServiceAccount that has the minimum permissions the LokiStack gateway requires
4. Update the ClusterLogForwarder to add LokiStack as a second output alongside syslog
5. Query logs in Grafana Explore

How To Do It

Step 1: Install the Operators

Two operators are needed: the Red Hat Loki Operator and the community Grafana Operator. If you want a primer on how OLM and operator installation works before diving in, How to Find, Install, and Explore an OpenShift Operator from the CLI is a good starting point.

The Grafana Operator installs namespace-scoped into its own dedicated namespace. Both are installed into dedicated namespaces rather than the default openshift-operators. The reasons for that are worth understanding — a dedicated post covering exactly why is coming soon.

📄 1-install-operators.yaml

This file creates six resources to install both operators:

Loki Operator Namespace, OperatorGroup, and Subscription

apiVersion: v1
kind: Namespace
metadata:
  name: loki-operator
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: loki-operator-group
  namespace: loki-operator
spec: {}
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: loki-operator
  namespace: loki-operator
spec:
  channel: stable-6.5
  installPlanApproval: Automatic
  name: loki-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

The Loki Operator needs “All Namespaces” install scope — it has to watch for LokiStack resources in any namespace across the cluster. spec: {} on the OperatorGroup (no targetNamespaces set) signals that. This gives the same watch scope as the global-operators group in openshift-operators, but the operator’s own lifecycle stays isolated to the loki-operator namespace. It manages LokiStack resources and deploys the gateway, compactor, and storage components.

Most operators publish a stable channel you can subscribe to without pinning a version. The Loki Operator does not — its channels are versioned, like stable-6.2 or stable-6.5. If you copy the channel name from this post and that version is no longer current, your Subscription will fail to resolve. Check what is actually available on your cluster before applying:

oc get packagemanifest loki-operator -o jsonpath='{.status.channels[*].name}'

Use whatever stable-x.x value comes back — that is the channel name to put in the Subscription.

Grafana Operator Namespace, OperatorGroup, and Subscription

apiVersion: v1
kind: Namespace
metadata:
  name: grafana-logging
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: grafana-operator-group
  namespace: grafana-logging
spec:
  targetNamespaces:
  - grafana-logging
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: grafana-operator
  namespace: grafana-logging
spec:
  channel: v5
  installPlanApproval: Automatic
  name: grafana-operator
  source: community-operators
  sourceNamespace: openshift-marketplace

The Grafana Operator installs namespace-scoped into a dedicated grafana-logging namespace from the community catalog on channel v5. The OperatorGroup scopes it to that namespace — without one, the Subscription will stall.

oc apply -f 1-install-operators.yaml

Wait for both CSVs to reach Succeeded before moving on — do not continue until both show Succeeded: This could take a minute show up

oc get csv -n loki-operator -w
oc get csv -n grafana-logging -w

NAME                       DISPLAY           VERSION   PHASE
loki-operator.v6.5.0       Loki Operator     6.5.0     Succeeded

NAME                          DISPLAY            VERSION   PHASE
grafana-operator.v5.x.x       Grafana Operator   5.x.x     Succeeded

Step 2: Deploy the LokiStack

LokiStack needs an S3-compatible object store to write log chunks. This can be any S3-compatible target — AWS S3, Google Cloud Storage, Azure Blob, MinIO, or anything else that speaks the S3 API. The LokiStack spec just needs an endpoint, bucket name, and credentials in a Secret. Since we have OpenShift Data Foundation available, we are using NooBaa, which is ODF’s built-in S3-compatible object store.

Two resources drive this step. You do not apply them directly — the script below handles them in the correct order. Read through them first so the script output makes sense.

ObjectBucketClaim

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: logging-loki-bucket
  namespace: openshift-logging
spec:
  generateBucketName: logging-loki
  storageClassName: openshift-storage.noobaa.io

An ObjectBucketClaim is how you request a bucket from NooBaa. When this is created, the OBC controller provisions the bucket and writes the connection details — host, port, bucket name, and credentials — into a Secret and ConfigMap in the same namespace, both named after the OBC. Those values are not available until the OBC reaches Bound, which is why this cannot simply be applied as part of a single YAML file.

LokiStack

📄 3-lokistack.yaml

apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: logging-loki
  namespace: openshift-logging
spec:
  size: 1x.demo
  storage:
    schemas:
    - version: v13
      effectiveDate: "2024-10-01"
    secret:
      name: logging-loki-s3
      type: s3
  storageClassName: ocs-external-storagecluster-ceph-rbd
  tenants:
    mode: openshift-logging

size: 1x.demo is a single-replica layout appropriate for non-production clusters. tenants.mode: openshift-logging wires Loki directly into OpenShift RBAC — users can only query logs from namespaces they already have access to, with no additional tenant configuration needed. The secret.name: logging-loki-s3 is the Secret the script builds from the OBC credentials before this manifest is applied.

The Script

📄 2-lokistack-setup.sh

The script applies the two resources above in the correct sequence:

1. Creates the openshift-logging namespace if it does not already exist (idempotent — safe to run if the Logging Operator already created it)
2. Creates the ObjectBucketClaim and waits for it to reach Bound
3. Extracts BUCKET_HOST, BUCKET_PORT, BUCKET_NAME, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY from the generated ConfigMap and Secret, then builds the logging-loki-s3 Secret the LokiStack references
4. Applies 3-lokistack.yaml and waits for the Ready condition to be True

bash 2-lokistack-setup.sh

==> Creating namespace openshift-logging...
namespace/openshift-logging configured
==> Creating ObjectBucketClaim...
objectbucketclaim.objectbucket.io/logging-loki-bucket created
==> Waiting for OBC to bind...
  waiting...
  waiting...
==> Extracting S3 credentials...
==> Creating Loki S3 secret...
secret/logging-loki-s3 created
==> Deploying LokiStack...
lokistack.loki.grafana.com/logging-loki created
==> Waiting for LokiStack to be ready (this takes a few minutes)...
  waiting...
  waiting...
LokiStack is ready.

Confirm the LokiStack is fully ready before continuing:

oc get lokistack logging-loki -n openshift-logging

NAME           AGE    READY
logging-loki   3m     True

Then verify the gateway and storage pods are all running:

oc get pods -n openshift-logging -l app.kubernetes.io/instance=logging-loki

Step 3: Deploy Grafana

📄 4-grafana.yaml

This file creates five resources in the grafana-logging namespace.

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: grafana-loki-sa
  namespace: grafana-logging

This is the identity Grafana uses when authenticating requests to the LokiStack gateway. The gateway validates the token via a TokenReview, then performs SubjectAccessReviews to check what the SA is allowed to see.

ClusterRole and ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: grafana-loki-reader
rules:
- apiGroups: ["loki.grafana.com"]
  resources: ["application"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["namespaces", "pods"]
  verbs: ["get", "list"]

The LokiStack gateway (opa-openshift) performs two SubjectAccessReviews for every request:

1. Tenant check — get application in the loki.grafana.com API group. application is not a registered CRD; it is a virtual resource name the gateway uses to represent the application log tenant. RBAC evaluates rules for it correctly even though the resource doesn’t exist as a CRD.
2. Namespace check — get pods in the namespace(s) referenced by the query labels. This enforces that the caller has actual Kubernetes-level access to the workloads whose logs they are reading.

Both checks must pass or the gateway returns You don't have permission to access this tenant.

Secret token

apiVersion: v1
kind: Secret
metadata:
  name: grafana-loki-token
  namespace: grafana-logging
  annotations:
    kubernetes.io/service-account.name: grafana-loki-sa
type: kubernetes.io/service-account-token

A long-lived token for the ServiceAccount. Kubernetes populates the token key automatically. The GrafanaDatasource reads it via valuesFrom and injects it as an Authorization header on every request to the LokiStack gateway.

Grafana and GrafanaDatasource

apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: logging-grafana
  namespace: grafana-logging
  labels:
    app: grafana
spec:
  route:
    spec: {}
  config:
    log:
      mode: "console"
    auth:
      disable_login_form: "false"
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: lokistack-datasource
  namespace: grafana-logging
spec:
  instanceSelector:
    matchLabels:
      app: grafana
  valuesFrom:
  - targetPath: "secureJsonData.httpHeaderValue1"
    valueFrom:
      secretKeyRef:
        name: grafana-loki-token
        key: token
  datasource:
    name: Loki
    type: loki
    access: proxy
    url: https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/
    isDefault: true
    jsonData:
      tlsSkipVerify: true
      httpHeaderName1: "Authorization"
      maxLines: 1000
    secureJsonData:
      httpHeaderValue1: "Bearer ${token}"

The datasource URL points directly at the LokiStack gateway’s internal service for the application log tenant. tlsSkipVerify: true is used here because we are connecting to an internal service using the cluster’s self-signed CA — in production you would mount the CA bundle instead.

oc apply -f 4-grafana.yaml

Verify the Grafana pod is running:

oc get pods -n grafana-logging -l app=logging-grafana

Confirm the datasource was successfully pushed to the Grafana instance:

oc get grafanadatasource lokistack-datasource -n grafana-logging \
  -o jsonpath='{.status.conditions[?(@.type=="DatasourceSynchronized")].message}'

Datasource was successfully applied to 1 instances

Step 4: Update the CLF to Dual-Output

📄 5-clf-dual-output.yaml

This file replaces the ClusterLogForwarder from the previous post with a dual-output version, and adds a ClusterRoleBinding the collector needs to write to LokiStack.

ClusterLogForwarder

apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  serviceAccount:
    name: logcollector

  inputs:
  - name: logspam-logs
    type: application
    application:
      includes:
      - namespace: logspam

  outputs:
  - name: syslog-out
    type: syslog
    syslog:
      url: tcp://rsyslog-service.syslog-server.svc.cluster.local:1514
      rfc: RFC5424
      enrichment: KubernetesMinimal

  - name: loki-out
    type: lokiStack
    lokiStack:
      target:
        name: logging-loki
        namespace: openshift-logging
      authentication:
        token:
          from: serviceAccount
    tls:
      ca:
        configMapName: openshift-service-ca.crt
        key: service-ca.crt

  pipelines:
  - name: app-to-all
    inputRefs:
    - logspam-logs
    outputRefs:
    - syslog-out
    - loki-out

The lokiStack output type references the LokiStack by name and namespace rather than a URL — the Vector collector handles service discovery, authentication, and TLS internally. authentication.token.from: serviceAccount tells the collector to use the logcollector ServiceAccount token when writing to Loki. The tls.ca block references the cluster’s internal CA bundle that OpenShift injects into every namespace automatically.

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: logcollector-write-application-logs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-logging-write-application-logs
subjects:
- kind: ServiceAccount
  name: logcollector
  namespace: openshift-logging

The logcollector ServiceAccount already has collect-application-logs from the previous post, which covers reading logs. Writing to LokiStack requires the separate cluster-logging-write-application-logs ClusterRole, installed by the Logging Operator.

oc apply -f 5-clf-dual-output.yaml

Confirm the CLF reconciled cleanly and both outputs are healthy:

oc get clusterlogforwarder instance -n openshift-logging \
  -o json | jq '.status'

Verify syslog is still receiving logs from the second output:

oc logs -n syslog-server -l app=rsyslog-server --tail=5

You should see recent structured syslog entries from the logspam namespace still arriving as before.

Then confirm Loki is ingesting. Vector does not log individual Loki requests at its default log level, so the reliable signal is querying the Loki labels API directly:

LOKI_ROUTE=$(oc get route logging-loki -n openshift-logging -o jsonpath='{.spec.host}')
TOKEN=$(oc whoami -t)
curl -sk -H "Authorization: Bearer $TOKEN" \
  "https://${LOKI_ROUTE}/api/logs/v1/application/loki/api/v1/labels" | jq .

Expected output:

{
  "status": "success",
  "data": [
    "k8s_container_name",
    "k8s_namespace_name",
    "k8s_node_name",
    "k8s_pod_name",
    "log_type",
    "openshift_log_type"
  ]
}

If data is an empty array, the collector has not pushed anything yet — wait 30 seconds and retry.

Step 5: Query Logs in Grafana

📄 6-get-grafana-url.sh

bash 6-get-grafana-url.sh

The Grafana Operator creates an admin credentials secret automatically named logging-grafana-admin-credentials. The script reads the route and pulls the username and password from that secret directly:

========================================
  Grafana Login Details
========================================
URL:      https://logging-grafana-route-grafana-logging.apps.example.com
Username: admin
Password: <generated-password>
========================================

Open the URL in a browser and log in. Use the Explore view from the left sidebar (the compass icon) — do not use the Explore Logs app. The Explore Logs app calls a detected_labels endpoint that the LokiStack gateway does not proxy, which causes 404 errors. The standard Explore view works correctly with LokiStack.

Select the Loki datasource and query:

{kubernetes_namespace_name="logspam"}

You will see the same log stream from the logspam generator — timestamped, color-coded by log level, and filterable by label or field.

The syslog server is receiving the same stream in parallel. Both outputs are driven by the same ClusterLogForwarder pipeline — add more outputs to fan logs to additional destinations without touching your workloads.

References

• Red Hat Loki Operator docs
• OCP Docs: Configuring a LokiStack
• OCP Logging 6.x Docs: Log forwarding

Why This Matters

When OLM installs an operator, it creates an InstallPlan in the same namespace as the Subscription. That InstallPlan is OLM’s resolved list of everything that needs to be installed — the CSVs, their dependencies, and the order they go in. The approved field is the gate: Automatic means OLM proceeds immediately, Manual means nothing moves until a human approves it.

The catch is that OLM resolves dependencies at the namespace level, not the subscription level. Every operator in a namespace gets pulled into the same InstallPlan. So when any operator has an available upgrade, OLM creates a single plan covering all operators in that namespace that can be upgraded — not just the one you care about.

That has two consequences worth sitting with. First, if you want to upgrade one operator, you are also upgrading every other operator in that namespace that has an available update. There is no mechanism to split them. Second, if any one subscription in the namespace is set to Manual approval, the entire plan waits for human sign-off — including operators whose subscriptions say Automatic. The UI will show those as Automatic. The behavior is Manual. Red Hat’s own support documentation calls this out directly.

This is not a bug. It is the documented behavior of the current OLM API. The problem is that it accumulates silently because the OperatorHub UI never tells you it is happening.

The Steps

1. Inspect the openshift-operators namespace to see how many subscriptions are sharing it
2. Examine an InstallPlan to confirm that a single plan spans multiple operators

How To Do It

Step 1: See what is sharing the namespace

oc get subscriptions -n openshift-operators

NAME                                                                PACKAGE                           SOURCE             CHANNEL
devworkspace-operator-fast-redhat-operators-openshift-marketplace   devworkspace-operator             redhat-operators   fast
loki-operator                                                       loki-operator                     redhat-operators   stable-6.5
openshift-pipelines-operator-rh                                     openshift-pipelines-operator-rh   redhat-operators   latest
web-terminal                                                        web-terminal                      redhat-operators   fast

Four operators in the same namespace. Each one is now part of the same dependency resolution pool.

Step 2: Inspect an InstallPlan to see the bundling

oc get installplan -n openshift-operators -o wide

NAME            CSV                                       APPROVAL   APPROVED
install-6zbg9   openshift-pipelines-operator-rh.v1.21.1   Manual     true
install-f5jr2   loki-operator.v6.5.0                      Manual     true
install-lszl8   web-terminal.v1.15.0                      Manual     true

The wide output only shows the first CSV in each plan. Pull the full list for one:

oc get installplan install-lszl8 -n openshift-operators \
  -o jsonpath='{.spec.clusterServiceVersionNames}'

["web-terminal.v1.15.0","devworkspace-operator.v0.40.0"]

That is the problem. install-lszl8 looks like a Web Terminal plan, but it includes devworkspace-operator too. Approving it upgrades both. There is no way to approve one without the other while they share a namespace.

To approve:

oc patch installplan install-lszl8 -n openshift-operators \
  --type merge \
  --patch '{"spec":{"approved":true}}'

Both operators upgrade simultaneously.

The fix is to give each operator its own namespace and its own OperatorGroup. InstallPlans are scoped to a namespace, so operators in separate namespaces can never be bundled together. The openshift-operators namespace is still useful for quick experiments or operators you do not need to manage long-term. But for anything in production, or anything you need upgrade control over, a dedicated namespace is the right call.

References

• Red Hat Solution: InstallPlans referencing more than one operator in openshift-operators namespace
• OCP Docs: Operator Lifecycle Manager concepts — OperatorGroup
• OCP Docs: Understanding OperatorHub
• How to Find, Install, and Explore an OpenShift Operator from the CLI

Why This Matters

The gap between “what the docs say” and “what’s actually on your cluster” is where most operator frustration happens. You apply a manifest from a tutorial, get a validation error or a subscription that never resolves, and you’re not sure if the problem is your YAML, your cluster version, or an operator that changed its API.

Most people jump straight to the UI or copy a Subscription from a blog post without checking whether that channel even exists on their cluster. Then they wait five minutes wondering why nothing is happening. The CLI gives you the tools to do this right from the start — find the operator, confirm the channel, install it properly, and understand what it registered before you write a single CR.

This is worth slowing down to learn. Once you know how to go from catalog to installed operator entirely in oc, you can do it for any operator on any cluster without hunting for the right tutorial.

The Steps

1. Find what operators are available and where they come from
2. Query the OperatorHub catalog to find available channels before subscribing
3. Create the namespace, OperatorGroup, and Subscription to install the operator
4. Wait for the CSV to confirm a successful install
5. Find what CRDs the operator actually registered
6. Use oc explain to walk the CRD spec interactively

How To Do It

Step 1: Find What Operators Are Available

Before you know which operator you want, it helps to understand where they come from. OpenShift pulls its operator catalog from CatalogSource objects — these are the upstream feeds that populate OperatorHub. By default, a fresh cluster has three:

oc get catalogsource -n openshift-marketplace

NAME                  DISPLAY               TYPE   PUBLISHER   AGE
certified-operators   Certified Operators   grpc   Red Hat     10d
community-operators   Community Operators   grpc   Red Hat     10d
redhat-operators      Red Hat Operators     grpc   Red Hat     10d

redhat-operators is the source for first-party Red Hat products like Logging, OpenShift Data Foundation, and ACM. certified-operators covers ISV software that’s gone through Red Hat’s certification process. community-operators is OperatorHub.io content — open source, community-maintained.

Every operator in those catalogs becomes a PackageManifest on your cluster. To list everything available:

oc get packagemanifest -n openshift-marketplace

That list is long. To filter it down to what you’re looking for, you can grep on name:

oc get packagemanifest -n openshift-marketplace | grep -i logging

Or filter by catalog source using a label selector:

oc get packagemanifest -n openshift-marketplace \
  -l catalog=redhat-operators | grep -i logging

If you want to search from the web console instead, go to Operators → OperatorHub. There’s a search bar at the top that filters by name as you type. The left panel lets you narrow by source (Red Hat, Certified, Community), category (Logging & Tracing, Storage, Security, etc.), and capability level. It’s the fastest way to browse if you don’t know the exact package name yet — the CLI approach is more reliable when you already know what you want and need scriptable output.

Step 2: Find the Right Channel Before You Subscribe

Operator subscriptions require a channel field. Documentation often shows stable, but many operators publish versioned channels like stable-6.5 and don’t maintain a generic alias. Subscribing to a non-existent channel fails silently — the subscription sits unresolved.

Query the OperatorHub catalog first:

oc get packagemanifest cluster-logging \
  -o jsonpath='{.status.channels[*].name}'

stable-6.2 stable-6.3 stable-6.4 stable-6.5

Then check which channel the operator recommends as default:

oc get packagemanifest cluster-logging \
  -o jsonpath='{.status.defaultChannel}'

stable-6.5

Use that value in your Subscription. If you want to pin to a specific version rather than float to the latest, use an exact channel like stable-6.4.

You can also check what CSV (operator version) each channel points to before subscribing:

oc get packagemanifest cluster-logging \
  -o jsonpath='{range .status.channels[*]}{.name}{"\t"}{.currentCSV}{"\n"}{end}'

stable-6.2    cluster-logging.v6.2.0
stable-6.3    cluster-logging.v6.3.0
stable-6.4    cluster-logging.v6.4.0
stable-6.5    cluster-logging.v6.5.0

Step 3: Create the Namespace, OperatorGroup, and Subscription

Three resources are required to install an operator via OLM from the CLI. None of them are created by OperatorHub automatically when you’re working in the terminal.

Namespace — operators install into a specific namespace. For Logging, that’s openshift-logging. Create it first if it doesn’t exist:

oc create namespace openshift-logging

OperatorGroup — tells OLM which namespaces the operator is allowed to watch. A single-namespace OperatorGroup scopes the operator to openshift-logging only, which is correct for Logging. Without an OperatorGroup in the namespace, the Subscription will stall:

cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-logging
  namespace: openshift-logging
spec:
  targetNamespaces:
  - openshift-logging
EOF

Subscription — this is what actually triggers OLM to pull and install the operator. It references the catalog source (redhat-operators), the package name (cluster-logging), and the channel you identified in Step 1:

cat <<EOF | oc apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  channel: stable-6.5
  installPlanApproval: Automatic
  name: cluster-logging
  source: redhat-operators
  sourceNamespace: openshift-marketplace
EOF

installPlanApproval: Automatic means OLM will approve and execute the install without you having to manually approve an InstallPlan. Use Manual if you want to inspect what will be installed before committing — useful in production environments where you want to control when upgrades happen.

Once the Subscription is applied, OLM creates an InstallPlan and begins pulling the operator. You can watch its progress:

oc get installplan -n openshift-logging

NAME            CSV                       APPROVAL    APPROVED
install-abc12   cluster-logging.v6.5.0    Automatic   true

Step 4: Wait for the CSV, Not Just the Pod

After applying a Subscription, the OLM installs the operator as a ClusterServiceVersion. The CSV is the real indicator of a successful install — a pod being Running just means the container started, not that OLM finished reconciling.

oc get csv -n openshift-logging -w

NAME                       DISPLAY                     VERSION   PHASE
cluster-logging.v6.5.0     Red Hat OpenShift Logging   6.5.0     Installing
cluster-logging.v6.5.0     Red Hat OpenShift Logging   6.5.0     Succeeded

Don’t apply CRs until the CSV reaches Succeeded. If it stalls at Installing, check oc get installplan -n <namespace> for approval blocks or dependency resolution failures.

Step 5: Find What CRDs the Operator Registered

Once the CSV is Succeeded, the operator has registered its CRDs into the cluster API. Don’t assume you know their names or API groups — operators change these across major versions. In Logging’s case, 5.x used logging.openshift.io and 6.x moved to observability.openshift.io.

The most reliable way to see exactly what the operator registered is to ask the CSV directly. It has an explicit owned list of every CRD it manages:

oc get csv cluster-logging.v6.5.0 -n openshift-logging \
  -o jsonpath='{range .spec.customresourcedefinitions.owned[*]}{.name}{"\t"}{.version}{"\t"}{.kind}{"\n"}{end}'

clusterlogforwarders.observability.openshift.io   v1   ClusterLogForwarder
logfilemetricexporters.logging.openshift.io       v1alpha1   LogFileMetricExporter

This is authoritative — it’s the same list OLM used to register the CRDs, so it works even when the API group name has nothing obvious to do with the operator. If you don’t know the exact CSV name, grab it first:

oc get csv -n openshift-logging -o name

If you want a quick scan across all CRDs on the cluster without knowing the CSV name, grep is a useful secondary option:

oc get crd | grep -E "logging|observ"

clusterlogforwarders.observability.openshift.io   2026-04-01T20:03:34Z
logfilemetricexporters.logging.openshift.io       2026-04-01T20:03:34Z

Either way, this tells you two things immediately: the API group changed, and ClusterLogging is gone entirely in this version. If you’d written apiVersion: logging.openshift.io/v1 in your manifest, it would have been rejected.

Step 6: Explore the Spec with oc explain

oc explain is the most underused tool for working with operators. It reads the CRD’s API schema and prints field descriptions, types, and required markers directly in your terminal. You don’t need docs, you don’t need examples — you can walk the entire spec yourself.

Start at the top level:

oc explain clusterlogforwarders.observability.openshift.io.spec

Go deeper with --recursive to see the full tree:

oc explain clusterlogforwarders.observability.openshift.io.spec --recursive

Drill into a specific sub-field to get descriptions and enum values:

oc explain clusterlogforwarders.observability.openshift.io.spec.outputs.syslog

FIELDS:
  appName     <string>
  enrichment  <string>
  enum: None, KubernetesMinimal
  facility    <string>
  msgId       <string>
  payloadKey  <string>
  procId      <string>
  rfc         <string> -required-
  enum: RFC3164, RFC5424
  severity    <string>
  tuning      <Object>
    deliveryMode  <string>
    enum: AtLeastOnce, AtMostOnce
  url         <string> -required-

The -required- markers tell you exactly which fields you can’t skip. The enum: lines tell you the valid values. This is more reliable than docs for the version actually installed on your cluster.

Use the same approach to discover the serviceAccount requirement — something that often isn’t obvious until you get a validation error:

oc explain clusterlogforwarders.observability.openshift.io.spec.serviceAccount

FIELDS:
  name  <string> -required-

And to understand how the v6 input filtering changed from application.namespaces to application.includes:

oc explain clusterlogforwarders.observability.openshift.io.spec.inputs.application --recursive

FIELDS:
  excludes  <[]Object>
    container   <string>
    namespace   <string>
  includes  <[]Object>
    container   <string>
    namespace   <string>
  ...

If you prefer a visual interface, the OpenShift web console has an API Explorer under Home → API Explorer. Search for the resource by kind, select it, and the Schema tab gives you the same field tree with descriptions — useful for browsing without constructing oc explain paths by hand.

Putting It Together

The pattern here applies to any operator, not just Logging:

1. oc get packagemanifest -n openshift-marketplace | grep <keyword> — find available operators and which catalog they come from
2. oc get packagemanifest <name> — find channels and the default before subscribing
3. Apply a Namespace, OperatorGroup, and Subscription — the three resources OLM needs to install the operator
4. oc get csv -n <namespace> -w — wait for Succeeded, not just a running pod
5. oc get csv <name> -o jsonpath='{range .spec.customresourcedefinitions.owned[*]}{.name}{"\n"}{end}' — confirm the exact CRDs the operator registered
6. oc explain <crd>.spec --recursive — walk the full spec without leaving the terminal

None of this requires external access or docs that match your exact version. Everything you need is already in the cluster.

References

• OCP Docs: Adding operators to a cluster
• OCP Docs: oc explain
• Kubernetes Docs: Understanding CRD validation schemas

Why This Matters

Most teams don’t think hard about log routing until something breaks or audit season arrives. The default LokiStack setup stores logs inside the cluster, which is excellent for day-to-day debugging — but logs that live and die with the cluster aren’t much use after a node failure, a cluster rebuild, or a security incident you’re investigating three weeks later.

Syslog has been the lingua franca of centralized log aggregation for decades. Every SIEM, every compliance platform, every mature log management system speaks it. When you configure OpenShift to forward to syslog, you’re plugging into that ecosystem without changing how your applications write logs. Your workloads log to stdout, the platform handles the rest.

The other thing worth slowing down to consider: the ClusterLogForwarder can send to multiple outputs simultaneously. You don’t lose your local LokiStack — you add syslog alongside it. Set the routing once, and the platform fans it out.

The Steps

1. Create a logspam namespace and deploy a log-generator Deployment running a UBI 9 container that emits log messages at random levels and intervals
2. Build and deploy an rsyslog server in its own namespace, exposed externally via NodePort
3. Install the OpenShift Logging Operator from OperatorHub
4. Create a ClusterLogForwarder pointing at the syslog external endpoint
5. Bonus: Install Loki and Grafana, then replace the Step 4 CLF with a dual-output version that sends logs to both syslog and LokiStack simultaneously

How To Do It

Step 1: The Log Generator

The log generator is a UBI 9 container running a shell loop that emits messages at all four log levels — INFO, WARN, ERROR, and DEBUG — at random intervals. It gives you real, varied log output to forward and inspect.

📄 1-logspam.yaml

oc apply -f 1-logspam.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: logspam
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: log-generator
  namespace: logspam
spec:
  replicas: 1
  selector:
    matchLabels:
      app: log-generator
  template:
    metadata:
      labels:
        app: log-generator
    spec:
      containers:
      - name: log-generator
        image: registry.access.redhat.com/ubi9/ubi:latest
        command: ["/bin/bash", "-c"]
        args:
        - |
          LEVELS=("INFO" "WARN" "ERROR" "DEBUG")
          MESSAGES=(
            "Application started successfully"
            "High memory usage detected: 85%"
            "Failed to connect to database - retrying"
            "Processing request ID $((RANDOM % 100000))"
            "Cache miss for key user-session-$((RANDOM % 999))"
            "Successfully flushed write buffer to disk"
            "Rate limit exceeded for client"
            "Scheduled job completed"
          )
          while true; do
            LEVEL=${LEVELS[$((RANDOM % 4))]}
            MSG=${MESSAGES[$((RANDOM % 8))]}
            echo "[${LEVEL}] ${MSG} at $(date -u +%Y-%m-%dT%H:%M:%SZ)"
            sleep $((RANDOM % 5 + 1))
          done

Verify the pod is running before tailing logs:

oc get pods -n logspam -l app=log-generator

NAME                             READY   STATUS    RESTARTS   AGE
log-generator-7d6f9b8c4-xk2pj   1/1     Running   0          30s

Then follow the output:

oc logs -n logspam -l app=log-generator -f

[INFO] Application started successfully at 2026-04-01T10:23:41Z
[ERROR] Failed to connect to database - retrying at 2026-04-01T10:23:44Z
[WARN] High memory usage detected: 85% at 2026-04-01T10:23:46Z

Step 2: The Syslog Server

The syslog server runs rsyslog inside a UBI 9 image built in-cluster. Building rsyslog into the image at build time — rather than installing it at runtime — means the container runs as a non-root user (UID 1001) with no elevated privileges needed. Port 514 is a privileged port that requires root to bind, so the server listens on port 1514 instead, which any non-root process can bind freely.

📄 2-syslog-server.yaml

This single file creates every resource needed to build and run the syslog server — from the namespace through to the services. Here’s what’s in it and why each piece exists.

oc apply -f 2-syslog-server.yaml

Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: syslog-server

All syslog server resources land in the syslog-server namespace, keeping them isolated from the log generator and the logging operator.

ImageStream

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: rsyslog-server
  namespace: syslog-server

An ImageStream is OpenShift’s internal image reference. The BuildConfig pushes the built image to this stream, and the Deployment pulls from it. This keeps everything inside the cluster’s internal registry — no external image pull needed.

BuildConfig

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: rsyslog-server
  namespace: syslog-server
spec:
  output:
    to:
      kind: ImageStreamTag
      name: rsyslog-server:latest
  source:
    type: Dockerfile
    dockerfile: |
      FROM registry.access.redhat.com/ubi9/ubi:latest
      RUN dnf install -y rsyslog && dnf clean all && rm -rf /var/cache/dnf
      USER 1001
  strategy:
    type: Docker
    dockerStrategy: {}
  triggers:
  - type: ConfigChange

The BuildConfig installs rsyslog into a UBI 9 base image at build time and drops to UID 1001 before the image is committed. The ConfigChange trigger fires the build automatically when the BuildConfig is first created. The result is pushed to the rsyslog-server ImageStream.

Wait for the build to complete before the Deployment pod can start (about 60 seconds):

oc get builds -n syslog-server -w

ConfigMap: rsyslog config

apiVersion: v1
kind: ConfigMap
metadata:
  name: rsyslog-config
  namespace: syslog-server
data:
  rsyslog.conf: |
    global(workDirectory="/tmp/rsyslog")

    module(load="imudp")
    input(type="imudp" port="1514")

    module(load="imtcp")
    input(type="imtcp" port="1514")

    $template RemoteFormat,"%TIMESTAMP:::date-rfc3339% [%HOSTNAME%] %syslogtag%%msg%\n"
    *.* /tmp/syslog/syslog.log;RemoteFormat

The rsyslog configuration is mounted into the container at /etc/rsyslog-custom/rsyslog.conf. All paths are under /tmp — writable by any user — since the container runs without root. The server accepts both TCP and UDP on 1514 and writes every received message to /tmp/syslog/syslog.log using a timestamp-prefixed format.

ConfigMap: startup script

apiVersion: v1
kind: ConfigMap
metadata:
  name: rsyslog-startup
  namespace: syslog-server
data:
  start.sh: |
    #!/bin/bash
    set -e
    mkdir -p /tmp/rsyslog /tmp/syslog
    touch /tmp/syslog/syslog.log
    rsyslogd -n -i /tmp/rsyslog/rsyslogd.pid -f /etc/rsyslog-custom/rsyslog.conf &
    echo "rsyslog started, listening on TCP/UDP 1514"
    exec tail -f /tmp/syslog/syslog.log

The startup script is mounted at /startup/start.sh and runs as the container’s entrypoint. It creates the working directories, starts rsyslogd in the background with the custom config, then execs tail -f on the log file so the container’s stdout streams received syslog messages — making them visible via oc logs.

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rsyslog-server
  namespace: syslog-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: rsyslog-server
  template:
    metadata:
      labels:
        app: rsyslog-server
    spec:
      containers:
      - name: rsyslog
        image: image-registry.openshift-image-registry.svc:5000/syslog-server/rsyslog-server:latest
        command: ["/bin/bash", "/startup/start.sh"]
        ports:
        - name: syslog-tcp
          containerPort: 1514
          protocol: TCP
        - name: syslog-udp
          containerPort: 1514
          protocol: UDP
        volumeMounts:
        - name: startup
          mountPath: /startup
        - name: rsyslog-config
          mountPath: /etc/rsyslog-custom
        resources:
          requests:
            cpu: "100m"
            memory: "128Mi"
          limits:
            cpu: "200m"
            memory: "256Mi"
      volumes:
      - name: startup
        configMap:
          name: rsyslog-startup
          defaultMode: 0755
      - name: rsyslog-config
        configMap:
          name: rsyslog-config

The Deployment pulls the image from the internal registry, mounts both ConfigMaps, and exposes port 1514 on both TCP and UDP. The defaultMode: 0755 on the startup ConfigMap volume ensures the script is executable when mounted.

Services

OpenShift Routes are HTTP/HTTPS only — they use HAProxy at layer 7 and can’t pass raw TCP syslog traffic. To reach the syslog server you need a Service instead. The YAML creates two:

# In-cluster access — used by the CLF when forwarding within the same cluster
apiVersion: v1
kind: Service
metadata:
  name: rsyslog-service
  namespace: syslog-server
spec:
  selector:
    app: rsyslog-server
  ports:
  - name: syslog-tcp
    port: 1514
    protocol: TCP
    targetPort: 1514
  - name: syslog-udp
    port: 1514
    protocol: UDP
    targetPort: 1514
---
# External access — fixed NodePort 31514
apiVersion: v1
kind: Service
metadata:
  name: rsyslog-external
  namespace: syslog-server
spec:
  type: NodePort
  selector:
    app: rsyslog-server
  ports:
  - name: syslog-tcp
    port: 1514
    protocol: TCP
    targetPort: 1514
    nodePort: 31514

The ClusterIP service (rsyslog-service) is what the ClusterLogForwarder uses when forwarding logs within the same cluster — reachable at rsyslog-service.syslog-server.svc.cluster.local:1514. The NodePort service (rsyslog-external) exposes the server on port 31514 of any worker node for external access. A fixed nodePort: 31514 makes it predictable — you know the port without having to look it up.

For production, prefer type: LoadBalancer on cloud platforms — it provisions an external load balancer with a stable IP rather than relying on individual node IPs. NodePort works well for on-premises and demo environments.

Step 3: Install the OpenShift Logging Operator

The Logging Operator is a Red Hat supported operator available from OperatorHub. As of Logging 6.x, it manages a Vector collector DaemonSet automatically when a ClusterLogForwarder is created — no separate ClusterLogging instance required.

If you’re new to how operators work — what OLM is doing, how channels and subscriptions relate, or how to explore what an operator registers — the post How to Find, Install, and Explore an OpenShift Operator from the CLI covers all of that in detail.

📄 3-install-logging-operator.yaml

This file creates three resources that OLM needs to install an operator from the CLI:

oc apply -f 3-install-logging-operator.yaml

Namespace

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-logging
  annotations:
    openshift.io/node-selector: ""
  labels:
    openshift.io/cluster-monitoring: "true"

The openshift-logging namespace is where the operator and all logging resources live. The openshift.io/node-selector: "" annotation clears any default node selector so the operator pods aren’t accidentally restricted to a subset of nodes. The openshift.io/cluster-monitoring: "true" label opts the namespace into cluster monitoring so the operator’s metrics are scraped automatically.

OperatorGroup

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-logging
  namespace: openshift-logging
spec:
  targetNamespaces:
  - openshift-logging

The OperatorGroup tells OLM which namespaces this operator is allowed to watch. Without one in the namespace, the Subscription will stall indefinitely. Scoping targetNamespaces to openshift-logging only gives the operator access to that namespace rather than cluster-wide.

Subscription

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: cluster-logging
  namespace: openshift-logging
spec:
  channel: stable-6.5
  installPlanApproval: Automatic
  name: cluster-logging
  source: redhat-operators
  sourceNamespace: openshift-marketplace

The Subscription is what triggers OLM to pull and install the operator. It references the redhat-operators catalog, the cluster-logging package, and a specific channel. The Logging Operator does not publish a generic stable channel — check which channels are available on your cluster before applying:

oc get packagemanifest cluster-logging -o jsonpath='{.status.channels[*].name}'

installPlanApproval: Automatic means OLM approves and executes the install without manual intervention. Use Manual in production if you want to inspect the InstallPlan before committing to an upgrade.

Wait for the operator CSV to reach Succeeded before moving on — a running pod is not sufficient confirmation:

oc get csv -n openshift-logging -w

NAME                       DISPLAY                     VERSION   PHASE
cluster-logging.v6.5.0     Red Hat OpenShift Logging   6.5.0     Installing
cluster-logging.v6.5.0     Red Hat OpenShift Logging   6.5.0     Succeeded

Step 4: Configure Log Forwarding

Logging 6.x introduced a new API group — observability.openshift.io/v1 — and dropped the ClusterLogging resource entirely. The ClusterLogForwarder now owns the full configuration: what to collect, where to send it, and which service account the collector runs as.

📄 4-cluster-log-forwarder.yaml

This file creates three resources: a ServiceAccount for the collector, a ClusterRoleBinding that grants it read access to application logs, and the ClusterLogForwarder itself.

oc apply -f 4-cluster-log-forwarder.yaml

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: logcollector
  namespace: openshift-logging

The Vector collector DaemonSet runs as this ServiceAccount. Logging 6.x requires an explicit serviceAccount reference in the ClusterLogForwarder — the operator will not deploy the collector without it.

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: logging-collector-application-logs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: collect-application-logs
subjects:
- kind: ServiceAccount
  name: logcollector
  namespace: openshift-logging

The collect-application-logs ClusterRole is installed by the Logging Operator and grants the collector read access to application pod logs across all namespaces. Without this binding the collector starts but cannot read any logs.

ClusterLogForwarder

apiVersion: observability.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: instance
  namespace: openshift-logging
spec:
  serviceAccount:
    name: logcollector

  inputs:
  - name: logspam-logs
    type: application
    application:
      includes:
      - namespace: logspam

  outputs:
  - name: syslog-out
    type: syslog
    syslog:
      url: tcp://rsyslog-service.syslog-server.svc.cluster.local:1514
      rfc: RFC5424
      facility: user
      enrichment: KubernetesMinimal

  pipelines:
  - name: app-to-syslog
    inputRefs:
    - logspam-logs
    outputRefs:
    - syslog-out

A few things worth understanding:

• inputs with application.includes scopes collection to the logspam namespace only. Remove this block and use the built-in application input ref to collect from all application namespaces.
• rfc: RFC5424 is the structured syslog format — facility, severity, hostname, and app name as defined fields, useful if your downstream system parses structured data.
• enrichment: KubernetesMinimal attaches a reduced set of Kubernetes metadata to each log event — namespace, pod name, and container name only. The default includes the full pod annotations and labels, which can push individual syslog messages to several kilobytes. KubernetesMinimal keeps messages manageable without losing the context you need for troubleshooting.
• url uses the internal service created in Step 2 since the CLF and the syslog server are on the same cluster.

Verify the Pipeline

Give the operator a moment to deploy the Vector DaemonSet, then confirm the CLF is ready:

oc get clusterlogforwarder instance -n openshift-logging -o jsonpath='{.status.conditions}' | jq .

Then watch the syslog server receive logs:

oc logs -n syslog-server -l app=rsyslog-server -f

You’ll see RFC5424 entries arriving from the logspam pod with minimal Kubernetes metadata:

2026-04-01T20:08:00Z [control-plane] logspam_log-generator_log-generator {...,"message":"[INFO] Application started successfully","level":"info","kubernetes":{"namespace_name":"logspam","pod_name":"log-generator-...","container_name":"log-generator"}}

That’s the forwarding pipeline working end-to-end.

Optional: Switch to the NodePort for External Access

If you want to simulate forwarding to a truly external syslog destination — or verify the NodePort is reachable from outside the cluster — the helper script patches the CLF URL to use the worker node IP and NodePort instead:

📄 5-get-external-url.sh

bash 5-get-external-url.sh

External syslog URL: tcp://10.0.1.42:31514
Patching ClusterLogForwarder...
clusterlogforwarder.observability.openshift.io/instance patched

The script reads the IP of a worker node, constructs the full tcp://<node-ip>:31514 URL, and patches the syslog-out output in place. In a real deployment this is where you’d substitute your centralized syslog server’s hostname and port — Splunk, Graylog, a managed SIEM — and nothing else in this setup changes.

That’s the forwarding pipeline complete. Logs leave your cluster, arrive at a syslog server you control, and the only thing connecting them is a ClusterLogForwarder and a service endpoint. In a real deployment, swap the internal service URL for your centralized syslog server — Splunk, Graylog, a managed SIEM — and nothing else changes.

If you want to go further and query those same logs interactively inside the cluster, the next post covers adding LokiStack and Grafana to the same setup: Querying OpenShift Logs with LokiStack and Grafana.

References

• OCP Logging 6.5 Docs: Configuring log forwarding
• OCP Logging 6.5 Docs: Installing logging

Why This Matters

The built-in dashboards are managed by the Cluster Monitoring Operator (CMO), which keeps them stable and consistent across upgrades. That’s the right behavior for platform infrastructure — but it means they’re not yours to modify, and the data inside them isn’t easy to export.

That gap matters more than people realize. Capacity planning, chargeback reporting, compliance exports, custom application dashboards — these are everyday asks that fall outside what the platform monitoring stack is designed to handle. Most teams hit this and assume it’s a dead end.

It isn’t. OpenShift exposes the full Thanos Querier API to any authorized client. You can query it directly with a Python script and get a CSV, or deploy your own Grafana instance alongside the platform one and build whatever dashboards your team needs — all without touching a single platform component.

The Steps

Approach 1 — Query Thanos directly and export a CSV

1. Confirm you’re logged into the cluster with oc
2. Run query_thanos.py with your PromQL query, time range, and output file
3. Open the CSV

Approach 2 — Deploy a custom Grafana instance

1. Create a namespace and service account
2. Create a long-lived token secret for that service account
3. Install the Grafana Operator from OperatorHub
4. Deploy a Grafana instance
5. Create a datasource pointing at the Thanos Querier
6. Retrieve your Grafana credentials and log in
7. Build dashboards and export data from the UI

How To Do It

Approach 1: Query Thanos Directly → CSV

A Python script authenticates against the Thanos Querier route using your existing oc session, runs a PromQL range query, and writes the results to a CSV file. No UI, no intermediate steps.

Prerequisites:

• oc CLI installed and logged in (oc whoami should return your username)
• Python 3.10+
• pip install requests

Script: query_thanos.py

Run it:

python query_thanos.py \
  --query 'sum by (namespace) (container_memory_working_set_bytes{container!=""})' \
  --days 7 \
  --output memory_by_namespace.csv

What it does under the hood:

At its core, the script is making one authenticated HTTP request to the Thanos query API. You can see the same thing manually with two oc commands and a curl:

# Get the external Thanos route URL
export THANOS_URL=$(oc get route thanos-querier -n openshift-monitoring -o jsonpath='{.spec.host}')

# Get your bearer token from the active oc session
export TOKEN=$(oc whoami -t)

# Set a time range (Unix epoch)
export END_TIME=$(date +%s)
export START_TIME=$(date -d "7 days ago" +%s)

# Hit the Thanos range query API directly
curl -k -H "Authorization: Bearer $TOKEN" \
  "https://$THANOS_URL/api/v1/query_range" \
  --data-urlencode 'query=sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate) by (pod)' \
  --data-urlencode "start=$START_TIME" \
  --data-urlencode "end=$END_TIME" \
  --data-urlencode 'step=3600s' > my_metrics.json

The Python script does exactly this — gets the route, grabs the token, calls the same endpoint — then goes one step further: it parses the JSON response and pivots it into a readable CSV instead of leaving it as raw JSON.

Example output:

DateTime,default,kube-system,openshift-monitoring
2025-03-24T00:00:00.000Z,1073741824,536870912,2147483648
2025-03-24T00:15:00.000Z,1073741824,536870912,2147483648

Options:

Access note: Your oc user needs the cluster-monitoring-view cluster role to query Thanos across all namespaces. If you can already see metrics in the OpenShift web console, you likely already have it.

Approach 2: Deploy Your Own Grafana Instance

A full Grafana UI — editable dashboards, panel-level CSV export, ad-hoc PromQL — running in its own namespace and pointed at the same Thanos backend as the platform stack.

Step 1: Create a Namespace and Service Account

📄 1-configureNamespaceSA.sh

oc create namespace my-custom-metrics
oc project my-custom-metrics

oc create sa custom-grafana-sa

oc adm policy add-cluster-role-to-user cluster-monitoring-view -z custom-grafana-sa

The cluster-monitoring-view role allows the service account to read metrics across all namespaces via Thanos.

Step 2: Create a Long-Lived Token Secret

📄 2-SA-secret.yaml

oc apply -f 2-SA-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: custom-grafana-token
  annotations:
    kubernetes.io/service-account.name: custom-grafana-sa
type: kubernetes.io/service-account-token

OCP 4.11+ deprecated oc sa get-token. A secret of type kubernetes.io/service-account-token annotated with the service account name is the supported replacement — OpenShift automatically populates the token key.

Step 3: Install the Grafana Operator

📄 3-install-Grafana.yaml

oc apply -f 3-install-Grafana.yaml

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: grafana-operator-group
  namespace: my-custom-metrics
spec:
  targetNamespaces:
  - my-custom-metrics
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: grafana-operator
  namespace: my-custom-metrics
spec:
  channel: v5
  installPlanApproval: Automatic
  name: grafana-operator
  source: community-operators
  sourceNamespace: openshift-marketplace

This installs the community Grafana Operator from OperatorHub — the path Red Hat’s own documentation points to for custom Grafana on OCP 4. Wait for the operator pod before continuing:

oc get pods -n my-custom-metrics -w

Step 4: Deploy a Grafana Instance

📄 4-create-Grafana-instance.yaml

oc apply -f 4-create-Grafana-instance.yaml

apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: custom-grafana
  namespace: my-custom-metrics
  labels:
    app: grafana
spec:
  route:
    spec: {}
  config:
    log:
      mode: "console"
    auth:
      disable_login_form: "false"

route: spec: {} tells the operator to create an OpenShift Route automatically. The app: grafana label is how the datasource in the next step knows which instance to attach to.

Step 5: Connect Grafana to the Thanos Querier

📄 5-create-Grafana-datasource.yaml

oc apply -f 5-create-Grafana-datasource.yaml

apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDatasource
metadata:
  name: openshift-monitoring-datasource
  namespace: my-custom-metrics
spec:
  instanceSelector:
    matchLabels:
      app: grafana
  valuesFrom:
    - targetPath: "secureJsonData.httpHeaderValue1"
      valueFrom:
        secretKeyRef:
          name: "custom-grafana-token"
          key: "token"
  datasource:
    name: OpenShift Thanos
    type: prometheus
    access: proxy
    url: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091
    isDefault: true
    jsonData:
      tlsSkipVerify: true
      httpHeaderName1: Authorization
    secureJsonData:
      httpHeaderValue1: "Bearer ${token}"

A few things worth understanding:

• thanos-querier.openshift-monitoring.svc.cluster.local:9091 is the in-cluster Thanos service. Port 9091 gives access across all namespaces.
• valuesFrom pulls the bearer token from the secret in Step 2 and injects it into the Authorization header automatically — no manual token management.
• tlsSkipVerify: true is standard for in-cluster service-to-service communication.

Step 6: Get Your Credentials and Log In

📄 6-get-grafana-creds.sh

bash 6-get-grafana-creds.sh

========================================
  Grafana Login Details
========================================
URL:      https://custom-grafana-route-my-custom-metrics.apps.your-cluster.example.com
Username: admin
Password: <generated>
========================================

The Grafana Operator stores generated credentials in a secret. This script retrieves and decodes them.

From here you have a fully editable Grafana instance. Use Explore for ad-hoc PromQL, or Dashboards to build and save views. To export any panel as CSV: panel menu → Inspect → Data → Download CSV.

Which Approach Should You Use?

References

• Red Hat KB: How to export Prometheus metrics into a CSV format in RHOCP4
• Red Hat Blog: Custom Grafana dashboards for Red Hat OpenShift Container Platform 4
• Red Hat Cloud Experts: Deploying Grafana on OpenShift 4