Description of problem: Create a new project, then log into this project as "joe" user, then run "osc log pod name" [jialiu@jialiu-pc1 beta2]$ echo $KUBECONFIG /home/jialiu/.kube/kubeconfig-joe-wiring [jialiu@jialiu-pc1 beta2]$ cat /home/jialiu/.kube/kubeconfig-joe-wiring apiVersion: v1 clusters: - cluster: certificate-authority: /var/lib/openshift/openshift.local.certificates/ca/root.crt server: https://10.66.79.111:8443 name: 10.66.79.111:8443 contexts: - context: cluster: 10.66.79.111:8443 namespace: wiring user: joe name: 10.66.79.111:8443-joe current-context: 10.66.79.111:8443-joe kind: Config preferences: {} users: - name: joe user: token: OTY5NTYxMDctZmY4NC00NzhjLWEyNWMtNWIxMTdiZDRjYzlj [jialiu@jialiu-pc1 beta2]$ osc log frontend-1-m68gl Forbidden: "/api/v1beta1/proxy/minions/jialiu-node1/containerLogs/wiring/frontend-1-m68gl/ruby-helloworld?follow=false" denied by default Version-Release number of selected component (if applicable): openshift-0.4-0.git.43.e57c9a8.el7ose.x86_64 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Pod logs go through the /proxy endpoint, which gives direct, unnamespaced access to nodes. For that reason, it requires cluster-admin-level access. Project admins do not currently have access. There is ongoing work to provide access to pod logs in a namespace-controlled way so that project admins can have this permission.
(In reply to Jordan Liggitt from comment #1) > There is ongoing work to provide access to pod logs in a > namespace-controlled way so that project admins can have this permission. Should it just be project admins by default? Would expect other roles to need this too, and while admins can always modify policy... seems to me it ought to match expectations as best as possible by default. I think I would even expect "view" roles to see logs.
Non-cluster admins should be able to access logs as of beta3.
According to https://bugzilla.redhat.com/show_bug.cgi?id=1217834#c3, move this bug to verified.
Closing this as part of a bulk update/cleanup of multiple bugs that were VERIFIED before OSE 3.0 GA but were left open and haven't been updated since. If this bug was meant to stay open for some reason please reopen.