Service account roles pods/log

[nik-humphries]

Upon updating to the new SPO + SP (2.1.0 / 3.1.0) I was receiving the following message on Kubernetes.

2024-05-15T12:35:56.237700027Z io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.0.0.1:443/api/v1/namespaces/apps/pods/sp-pod-9d680476-03ac-42a8-b851-28b801c61659-0/log?pretty=false. Message: pods "sp-pod-9d680476-03ac-42a8-b851-28b801c61659-0" is forbidden: User "system:serviceaccount:apps:shinyproxy-sa" cannot get resource "pods/log" in API group "" in the namespace "apps"

https://github.com/openanalytics/shinyproxy-operator/blob/977dccb01d7c9ac662dab7fc3a518d9c93ec1bef/docs/deployment/bases/shinyproxy/resources/shinyproxy.rbac.yaml#L11

I have added a permission into the role at the line above here to include pods/log as well as the other two that are already there.

Is this missing from the deployment example or is there something else I should be changing?

[LEDfan]

Hi, this permissions is only needed when you have the container-log-path option enabled. Your change is correct and should fix the issue. However, I think we should indeed improve the documentation here, therefore I'll keep this issue open.