docs: update tekton and topology documentation with pod log permissio…

…ns (#668)
janus-idp · Aug 24, 2023 · 5b0a9f7 · 5b0a9f7
1 parent 30200b5
commit 5b0a9f7
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 4 deletions.
diff --git a/plugins/tekton/README.md b/plugins/tekton/README.md
@@ -23,9 +23,11 @@ The Tekton plugin enables you to visualize the `PipelineRun` resources available
          plural: 'taskruns'
   ```
 - The Kubernetes plugin is configured and connects to the cluster using a `ServiceAccount`.
-- The [`ClusterRole`](https://backstage.io/docs/features/kubernetes/configuration#role-based-access-control) must be granted for custom resources (PipelineRuns and TaskRuns) to `ServiceAccount` accessing the cluster. If you have the Backstage Kubernetes Plugin configured, then the `ClusterRole` is already granted.
+- The [`ClusterRole`](https://backstage.io/docs/features/kubernetes/configuration#role-based-access-control) must be granted for custom resources (PipelineRuns and TaskRuns) to `ServiceAccount` accessing the cluster.
+- To be able to view the pod logs, you will need to the grant permissions for `pods/log`
+- If you have the Backstage Kubernetes Plugin configured, then the `ClusterRole` is already granted.
 
-  You can use the following code to grant the `ClusterRole` for custom resources:
+  You can use the following code to grant the `ClusterRole` for custom resources and pod logs:
 
   ```yaml
     ...
@@ -34,6 +36,14 @@ The Tekton plugin enables you to visualize the `PipelineRun` resources available
     metadata:
       name: backstage-read-only
     rules:
+      - apiGroups:
+          - ""
+        resources:
+          - pods/log
+        verbs:
+          - get
+          - list
+          - watch
       ...
       - apiGroups:
           - tekton.dev
@@ -46,7 +56,7 @@ The Tekton plugin enables you to visualize the `PipelineRun` resources available
 
   ```
 
-  > Tip: You can use our [prepared manifest for a read-only `ClusterRole`](https://raw.githubusercontent.com/janus-idp/backstage-plugins/main/plugins/tekton/manifests/clusterrole.yaml), providing both Kubernetes plugin andd Tekton plugin access.
+  > Tip: You can use our [prepared manifest for a read-only `ClusterRole`](https://raw.githubusercontent.com/janus-idp/backstage-plugins/main/plugins/tekton/manifests/clusterrole.yaml), providing both Kubernetes plugin and Tekton plugin access.
 
 - The following annotation is added to the entity's `catalog-info.yaml` file to identify whether an entity contains the Kubernetes resources:
 

diff --git a/plugins/tekton/manifests/clusterrole.yaml b/plugins/tekton/manifests/clusterrole.yaml
@@ -7,6 +7,7 @@ rules:
   - apiGroups:
       - ''
     resources:
+      - pods/log
       - pods
       - services
       - configmaps

diff --git a/plugins/topology/README.md b/plugins/topology/README.md
@@ -11,7 +11,7 @@ The Topology plugin enables you to visualize the workloads such as Deployment, J
 - The Kubernetes plugins including `@backstage/plugin-kubernetes` and `@backstage/plugin-kubernetes-backend` are installed and configured by following the [installation](https://backstage.io/docs/features/kubernetes/installation) and [configuration](https://backstage.io/docs/features/kubernetes/configuration) guides.
 - The Kubernetes plugin is configured and connects to the cluster using a `ServiceAccount`.
 - The [`ClusterRole`](https://backstage.io/docs/features/kubernetes/configuration#role-based-access-control) must be granted to `ServiceAccount` accessing the cluster. If you have the Backstage Kubernetes plugin configured, then the `ClusterRole` is already granted.
-- The following must be added in`customResources` component in the [`app-config.yaml`](https://backstage.io/docs/features/kubernetes/configuration#configuring-kubernetes-clusters) file to view the OpenShift route:
+- The following must be added in`customResources` component in the [`app-config.yaml`](https://backstage.io/docs/features/kubernetes/configuration#configuring-kubernetes-clusters) file to view the OpenShift route as well:
 
   ```yaml
    kubernetes:
@@ -42,6 +42,25 @@ The Topology plugin enables you to visualize the workloads such as Deployment, J
 
   ```
 
+- The following permission must be granted to the [`ClusterRole`](https://backstage.io/docs/features/kubernetes/configuration#role-based-access-control) to be able to view the pod logs:
+
+  ```yaml
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: backstage-read-only
+  rules:
+    - apiGroups:
+        - ''
+      resources:
+        - pods
+        - pods/log
+      verbs:
+        - get
+        - list
+        - watch
+  ```
+
 - The following code must be added in`customResources` component in the [`app-config.yaml`](https://backstage.io/docs/features/kubernetes/configuration#configuring-kubernetes-clusters) file to view the Tekton PipelineRuns list in the side panel and to view the latest PipelineRun status in the Topology node decorator:
 
   ```yaml

diff --git a/plugins/topology/manifests/clusterrole.yaml b/plugins/topology/manifests/clusterrole.yaml
@@ -7,6 +7,7 @@ rules:
   - apiGroups:
       - ''
     resources:
+      - pods/log
       - pods
       - services
       - configmaps