I made a service account that bound to clusterRole.

Here is the clusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: devops-tools-role
  namespace: devops-tools
rules:
  - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - extensions
        - policy
        - rbac.authorization.k8s.io
        - networking.k8s.io
    resources:
      - pods
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

I try to read logs from a pod

kubectl -n dfg02 logs postgres-69c7bb5cf7-dstzt

, and got :

Error from server (Forbidden): pods "postgres-69c7bb5cf7-dstzt" is forbidden: User "system:serviceaccount:devops-tools:bino" cannot get resource "pods/log" in API group "" in the namespace "dfg02"

So I switch to 'admin' account anda try to find which resource to add to the cluster role

 ✘ bino@corobalap  ~/gitjece  kubectl config use-context k0s-cluster          
Switched to context "k0s-cluster".
 bino@corobalap  ~/gitjece  kubectl api-resources |grep log

and got nothing.

My question is how to add 'logs read rights' to a ClusterRole.

Sincerely
-bino-

CodePudding user response：

Logs are a sub-resource of Pods and by just specifying pods in the resource sections isn't enough.

So simply add the following to your yaml then it should work.

resources:
  - pods
  - pods/log

PS: You've specified pods twice in your resources section, not that it does anything but just wanted to point it out.