https://prefect.io logo
v

Vicky Kwan

09/14/2023, 9:45 PM
hi how do I check the k8s configs for worker, similar to how I checked
prefect kubernetes manifest agent
? It says
... worker
isn't valid
n

Nate

09/14/2023, 9:47 PM
hey @Vicky Kwan - you can check out the helm chart
v

Vicky Kwan

09/14/2023, 9:56 PM
Hi @Nate thanks for the link! I'm actually having a bigger problem: I don't know how to pass the service account into a k8s worker pool, so the deployment can use this service account to access the correct namespace. the error I'm hitting is:
Screenshot 2023-09-14 at 2.56.28 PM.png
then I wanted to check what/where is this service account
system:serviceaccount:prefect:prefect-worker
, because in the pool config page I only set the service account name to be
prefect-api-key
which is the exact service account that I passed into our helm chart
how can I check: 1. which service account is this pool really using, and if not correct, I'll update to the correct one, 2. what permission set looks like for this service account, if I need to override, should I do it over
role.extraPermissions
on the chart? I want to peek into the base permission set first and see what we need to update to
3. I don't quite get it why it's looking for
kube-system
while I specified a new namespace
prefect
?
n

Nate

09/14/2023, 10:02 PM
if you go into
Edit
on your k8s work pool, you should see
and these should match your specifications in the helm chart to make sure your permissions work as expected
v

Vicky Kwan

09/14/2023, 10:09 PM
I tried that to match with the namespace and service account (on the org service accounts page right?) but still seeing the same error
n

Nate

09/14/2023, 10:10 PM
your service account is called
prefect-api-key
?
seems like that would be the name of your k8s secret holding your api key
the service account in this context refers to the kubernetes service account - if you didnt configure yourself manually, i would leave it at the default on the helm chart and here on the work pool
v

Vicky Kwan

09/15/2023, 9:03 PM
thanks Nate! turned out we needed to explicitly set the
cluster.Uid
and I also found another similar thread in here somewhere