https://prefect.io logo
Channels
Powered by
s

Sivanandha Rajadurai

08/28/2023, 5:59 PM
What permission do the Kubernetes Service account need to run flows as k8s jobs ? We use argo cd and i have created a role to create jobs. Looks like it’s trying to get cluster namespaces as well
1
j

Jamie Zieziula

08/28/2023, 8:47 PM
Hi @Sivanandha Rajadurai, the worker should only need these permissions:
Copy code
- apiGroups: [""]
  resources: ["pods", "pods/log", "pods/status"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
however, on install the worker does attempt to query the 
kube-system
namespace and grab its UUID. If you don’t want to allow that - you can specify any UUID to use on the workers configuration under container environment variables like so:
Copy code
- name: PREFECT_KUBERNETES_CLUSTER_UID
  value: "UUID_HERE"
s

Sivanandha Rajadurai

08/28/2023, 10:25 PM
Yup thanks.
m

Marty Ko

08/31/2023, 7:00 AM
what is the purpose of getting this uuid?
j

Jamie Zieziula

08/31/2023, 5:22 PM
Hi Marty - this is the PR where it was introduced and does a good job explaining what we use it for
Powered by