Merge pull request #219 from circleci/ONPREM-1694/logging-service-account

christian-stephen · web-flow · commit 2f377eaf72bb · 2025-08-06T08:57:17.000-03:00
[ONPREM-1694] Explicitly document the logging service account for container runner
diff --git a/docs/guides/modules/execution-runner/pages/container-runner.adoc b/docs/guides/modules/execution-runner/pages/container-runner.adoc
@@ -376,11 +376,11 @@ In addition, link:#logging-containers[Logging containers] require the following
 ** List
 ** Watch
 
-By default a `Role`, `RoleBinding` and service account are created and attached to the container runner pod, but if you customize these, the above are the minimum required permissions.
+By default a `Role`, `RoleBinding` and service account are created and attached to the container runner pod. If you customize these, the permissions listed above are the minimum required.
 
-It is assumed that the container runner is running in a Kubernetes namespace without any other workloads. It is possible that the agent or garbage collection (GC) could delete pods in the same namespace.
+The logging collector uses a dedicated service account with the other permissions listed above, and is mounted in the logging container of the task pod when service containers are present. This can be customized if needed.
 
-NOTE: Cluster-wide permissions are used by container runner to autodetect the OS and CPU architecture of the node that the task pod is running on. If you do not want to grant these permissions to container runner, you can set `agent.autodetectPlatform` to `false`, which will assume the node OS and architecture matches the node that the container runner pod is on.
+It is assumed that the container runner is running in a Kubernetes namespace without any other workloads. It is possible that the agent or garbage collection (GC) could delete pods in the same namespace.
 
 [#garbage-collection]
 == Garbage collection
