fritzb opened a new issue #13264:
URL: https://github.com/apache/airflow/issues/13264
**Apache Airflow version**: 1.10.14, 2.0.0
**Kubernetes version (if you are using kubernetes)** (use `kubectl
version`): 1.18
**Environment**: AWS EKS, Kubernetes Executor, KubernetesPodOperator task
- **Cloud provider or hardware configuration**:
- **OS** (e.g. from /etc/os-release): Linux
- **Kernel** (e.g. `uname -a`):
- **Install tools**:
- **Others**:
**What happened**:
After upgrading to Airflow 1.10.14 with v1-10-stable chart, I'm seeing error
message when I clicked on view tasks' log while the task is running. Note that
Airflow remote s3 logging is configured, and task is KubernetesPodOperator
```
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id':
'8526c27e-0818-40d5-8624-81379dcc369e', 'Cache-Control': 'no-cache, private',
'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff',
'Date': 'Tue, 22 Dec 2020 03:12:12 GMT', 'Content-Length': '420'})
HTTP response body:
b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
\\"examplespodtask-6a747c58e60d490d95f2a519c88bf44c\\" is forbidden: User
\\"system:serviceaccount:analytics:analytics-airflow-webserver\\" cannot get
resource \\"pods/log\\" in API group \\"\\" in the namespace
\\"analytics\\"","reason":"Forbidden","details":{"name":"examplespodtask-6a747c58e60d490d95f2a519c88bf44c","kind":"pods"},"code":403}\n'
```
```
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: analytics-airflow-pod-launcher-rolebinding
labels:
tier: airflow
release: analytics-airflow
chart: "airflow-1.0.0"
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: analytics-airflow-pod-launcher-role
subjects:
- kind: ServiceAccount
name: analytics-airflow-scheduler
- kind: ServiceAccount
name: analytics-airflow-worker
```
**What you expected to happen**:
My observation without reading the airflow code as follow: until full logs
are completed and uploaded to S3, the webserver will try to get the log from
the active running pods logs via kubernetes api and it requires role which has
access to pods/log resources
**How to reproduce it**:
Use Helm chart from (https://github.com/apache/airflow/tree/master/chart).
Click view logs while the task (KubernetesPodOperator) is running
**Anything else we need to know**:
@pgagnon suggested the following role. Perhaps the official helm chart can
be modified to include pod logs role below:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: analytics
name: analytics-airflow-pod-logs-role
rules:
- apiGroups: [""]
resources: ["pods/log", "pods/status"]
verbs: ["get", "watch", "list"]
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
