To let user only have access to K8S logs of K8S pods, there are two recommended ways.

In this post, we will describe how to grant access under Alibaba CS environment. We will first explain how to grant only necessary access to a user, and we expect that user to access K8S logs via "kubectl logs" command.

Because Alibaba Cloud CS also provides a web-based console to operate the K8S cluster, which makes K8S cluster management much easier, there is another way to access the logs from the web portal. However, this means we need to grant a user more access. Those accesses are needed for users navigate through wizard steps leading to the logging console.

Using which method to grant access and to expect user to access the logs is kind of art of balancing.

Access K8S Logs via "kubectl" CLI Method

vim clusterrole_name.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: default
  name: pods-and-pod-logs-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get"]

Error:

Error from server (Forbidden): pods "wordpress-74****89-****" is forbidden: User "2587****7294" cannot get resource "pods/log" in API group "" in the namespace "default"

Error from server (Forbidden): pods "wordpress-74****89-****" is forbidden: User "2587****7294" cannot get resource "pods" in API group "" in the namespace "default"

kubectl apply -f clusterrole_name.yaml

clusterrole.rbac.authorization.k8s.io/pods-and-pod-logs-reader created

kubectl logs wordpress-746****c89-nrfl4

WordPress not found in /var/www/html - copying now...
Complete! WordPress has been successfully copied to /var/www/html
[08-Sep-2020 06:56:19 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:19 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:22 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:22 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:25 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:25 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:28 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:28 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:31 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:31 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:34 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:34 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:37 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:37 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:40 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:40 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:43 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:43 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known
[08-Sep-2020 06:56:46 UTC] PHP Warning:  mysqli::__construct(): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22
[08-Sep-2020 06:56:46 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name or service not known in Standard input code on line 22

MySQL Connection Error: (2002) php_network_getaddresses: getaddrinfo failed: Name or service not known

WARNING: unable to establish a database connection to 'wordpress-mysql'
  continuing anyways (which might have unexpected results)

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.208. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.208. Set the 'ServerName' directive globally to suppress this message
[Tue Sep 08 06:56:46.510741 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/7.4.10 configured -- resuming normal operations
[Tue Sep 08 06:56:46.510790 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

Because we just use the above deployment for illustration, so there is a MySQL Connection Error, because I did not mean to deploy the whole deployment suite.

Access K8S Logs via Alibaba CS Console

To access logs via the Alibaba CS (Container Service) console, a few MORE accesses are needed.

- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["list"]

Without this access, you could not list the deployments, which will prevent you from entering the deployment to execute next steps.

- apiGroups: ["apps"]
  resources: ["deployments"]
  resourceNames: ["[Name-Of-The-Deployment]"]
  verbs: ["get"]

Without this access, you could not get the detailed data of a deployment, (tmp-basic in this case), which will prevent you from entering the deployment.


With this access, if user want to access other deployments than the [Name-Of-The-Deployment], s/he will get below error.