grepthat opened a new issue #11696:
URL: https://github.com/apache/airflow/issues/11696
**Apache Airflow version**: v2.0.0a1 (latest master)
**Environment**:
- **OS**: Ubuntu 18.04.4 LTS
- **Kubernetes**: v1.19.3
- **Docker**: v19.03.12
- **Helm**: v3.3.4
**What happened**:
Trying to get a task log the the task instance list
(*http:localhost:8080/taskinstance/list/*) yields an error saying that the
**ServiceAccount airflow-webserver does not have the permission to list
pods/log**.
```
*** Trying to get logs (last 100 lines) from worker pod ***
*** Unable to fetch logs from worker pod ***
(403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private',
'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff',
'Date': 'Tue, 20 Oct 2020 16:36:31 GMT', 'Content-Length': '296'})
HTTP response body:
b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
is forbidden: User \\"system:serviceaccount:airflow:airflow-webserver\\"
cannot list resource \\"pods/log\\" in API group \\"\\" in the namespace
\\"airflow\\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}\n'
```
**How to reproduce it**:
I created a Kubernetes Cluster using `kubeadm` and added Flannel as Pod
Network. Afterward I built the *Airflow production image* via breeze, then
deployed it to Cluster via `helm` (*Mounting DAGS from an externally populated
PVC*)
```bash
$~ ./breeze build-image --production-image
$~ helm install airflow . \
--namespace airflow \
--set dags.persistence.enabled=true \
--set dags.persistence.existingClaim=my-hostPath-claim \
--set dags.gitSync.enabled=false \
--set uid=1000 \
--set gid=1000 \
--set executor=KubernetesExecutor \
--set images.airflow.tag=master-python3.6
$~ kubectl get pods -n airflow
NAME READY STATUS RESTARTS AGE
airflow-postgresql-0 1/1 Running 0 75m
airflow-scheduler-6df9cf9855-4xzd4 2/2 Running 0 75m
airflow-statsd-5556dc96bc-zdtjp 1/1 Running 0 75m
airflow-webserver-dc8c746b7-9wqlh 1/1 Running 0 75m
```
I triggered a simple DAG. Also posting it here for completeness.
<details>
<summary>DAG file</summary>
```
from airflow import DAG
from datetime import timedelta, datetime
from airflow.operators.bash_operator import BashOperator
dag = DAG(
'simple_dag',
default_args= {
'owner': 'airflow',
'depends_on_past': False,
'retries' : 0,
'start_date': datetime(1970, 1, 1),
'retry_delay': timedelta(seconds=30),
},
description='',
schedule_interval=None,
catchup=False,
)
t1 = BashOperator(
task_id='task1',
bash_command='echo 1',
dag=dag
)
```
</details>
**Possible solution**:
Checking `airflow/chart/templates/rbac/pod-launcher-rolebinding.yaml` I can
verify that the ServiceAccount *airflow-webserver* can't get the needed
*airflow-pod-launcher-role* permissions (as stated in the error). Also I think
`airflow/chart/templates/rbac/pod-launcher-role.yaml` additionally needs the
*"list"* verb for the *"pods/log"* resource. Applying these changes gets rid of
the error but yields a different error. Nevertheless should I add these changes
to the chart templates?
```
*** Trying to get logs (last 100 lines) from worker pod ***
*** Unable to fetch logs from worker pod ***
(400)
Reason: Bad Request
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private',
'Content-Type': 'application/json', 'Date': 'Tue, 20 Oct 2020 16:29:32 GMT',
'Content-Length': '136'})
HTTP response body:
b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"name
must be provided","reason":"BadRequest","code":400}\n'
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
