Abhinav Chordia
04/17/2023, 6:01 PMSubmission failed. kubernetes.client.exceptions.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Audit-Id': 'd8c61061-378f-4686-8163-07b21c220c17', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '903a45a7-c309-4b50-9720-817e715a41a4', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'a496d18f-252e-4832-8af8-99bab3405eea', 'Date': 'Mon, 17 Apr 2023 18:00:51 GMT', 'Content-Length': '346'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:prefect:prefect-agent\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"","reason":"Forbidden","details":{"name":"kube-system","kind":"namespaces"},"code":403}
deployment = Deployment.build_from_flow(
flow=call_api,
name="example",
version=1,
infrastructure=kubernetes_job_block,
work_queue_name="default",
path="/user/abhinav",
storage=az_block
)
deployment.apply()
k8s_job = KubernetesJob(
namespace="prefect",
image="<http://docker.gh.st/hypo:latest|docker.gh.st/hypo:latest>",
image_pull_policy=KubernetesImagePullPolicy.ALWAYS,
finished_job_ttl=300,
job_watch_timeout_seconds=600,
pod_watch_timeout_seconds=600,
service_account_name="prefect-server",
customizations=customizations,
)
k8s_job.save("devk8s", overwrite=True)
redsquare
04/17/2023, 6:34 PMjawnsy
04/17/2023, 6:43 PMAbhinav Chordia
04/17/2023, 6:48 PMprefect
namespace and wanted to run it there as well but it’s still requiring being able to list the kube-system namespaceprefect kubernetes manifest agent
also has:
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
name: prefect-agent
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
name: prefect-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: prefect-agent
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRole
metadata:
name: {{ include "common.names.fullname" . }}
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ include "common.names.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "agent.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
roleRef:
kind: ClusterRole
name: {{ template "common.names.fullname" . }}
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
jawnsy
04/17/2023, 7:30 PMAbhinav Chordia
04/17/2023, 7:31 PMJamie Zieziula
04/18/2023, 2:39 AMkube-system
namespace ID.
If for some reason that is not working with your install path, you can set a UID here. This will eliminate the need for a cluster role & bindingAbhinav Chordia
04/18/2023, 4:11 AMjawnsy
04/18/2023, 2:16 PMAbhinav Chordia
04/18/2023, 2:19 PMjawnsy
04/18/2023, 3:44 PM