This article explains how to retrieve Kubernetes pod logs for troubleshooting backend services in Tanzu Hub, and clarifies which Tanzu Hub virtual machine should be used for running kubectl.

Tanzu Hub is delivered as a BOSH-managed appliance.
Internally, Tanzu Hub backend components (such as GraphQL or postgres services) run as containers orchestrated by Kubernetes.

While this Kubernetes runtime is not exposed to end users for management purposes, access to pod logs may be required during advanced troubleshooting (for example, when diagnosing attach failures, certificate validation errors, or backend service errors).

Not all virtual machines in the Tanzu Hub deployment have sufficient Kubernetes permissions to retrieve pod logs.

For troubleshooting purposes, kubectl access with appropriate permissions is available on the Tanzu Hub registry VM.
This VM is preconfigured with an administrative Kubernetes context and is the supported entry point for retrieving Tanzu Hub pod logs.

Tanzu Hub

Step 1 – Identify the Tanzu Hub registry VM

From a system with BOSH access:

bosh deployments --column=name | grep hub

Identify the VM with a name similar to:

hub-####################

Step 2 – SSH into the registry VM

 bosh -d hub-#################### ssh registry/########-####-####-####-########

Step 3 – Use kubectl to access pod logs

On the registry VM, kubectl is already configured and authorized.

Examples:

List namespaces:

kubectl get ns

List pods across all namespaces:

kubectl get pods -A

Retrieve logs from a specific pod:

kubectl logs -n <namespace> <pod-name>

Follow logs while reproducing an issue:

kubectl logs -n <namespace> <pod-name> -f

kubectl may fail on other VMs

If kubectl is run from a control/* VM, the following error may be observed:

 Error from server (Forbidden): User "kubelet" cannot get resource "pods/log"