Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

I am getting the above error when trying to run a flow in Prefect 2.0.
I'm in namespace dev-prefect in k8s.
The flow logs in the Prefect UI are completely blank.
Do I need to make a custom service account in k8s?

Hi <@U0379NGC1FA>. Could you please move your code to this thread to keep the channel clean?

```Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '548332e2-208f-4cde-9bd6-b6a76b63bc11', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '75bc4772-0e03-4b73-8452-8ae803c4c9db', 'X-Kubernetes-Pf-Prioritylevel-Uid': '33eac375-8a0a-44de-a86b-8769461b5c93', 'Date': 'Mon, 15 Aug 2022 14:51:58 GMT', 'Content-Length': '331'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"system:serviceaccount:dev-prefect:dev-prefect-agent-1\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"dev-prefect\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403}```

```prefectVersionTag: 2.0.4-python3.10

replicaCount: 4

image:
  repository: samgarvis/prefect20_dockerfile
  tag: latest
  pullPolicy: Always

  ## Optionally specify an array of imagePullSecrets.
  ## Secrets must be manually created in the namespace.
  ## ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/>
  ##
  # pullSecrets:
  #   - myRegistrKeySecretName

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

config:
  apiUrl: <https://api.prefect.cloud>
  accountId: "XXXXXXXXXXXXXXXXXX"
  workspaceName: "XXXXXXXXXXXXXXXXXX"
  workQueueName: "XXXXXXXXXXXXXXXXXX"

  debugEnabled: true

  # -- Prefect cloud API key
  apiKeySecret:
    name: prefect-dev-service-secret
    key: prefect-dev-service-key

securityContext: {}
  # The securityContext this Pod should use. See <https://kubernetes.io/docs/concepts/policy/security-context/> for more.
  # runAsUser: 65534

nodeSelector: {}

affinity: {}

tolerations: []

annotations: {}

resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

podLabels: {}

nameOverride: ""
fullnameOverride: ""```
Yes, sorry

Hi Sam, here is a <https://docs-v1.prefect.io/orchestration/agents/kubernetes.html#rbac|Prefect 1 doc> which may help, despite the fact you're using 2.0. You need to add the permissions to run jobs in that namespace

Also does there need to be a namespace option here on serviceaccount.yaml
Because won't it just create this in the default namespace otherwise?
<https://github.com/PrefectHQ/prefect-helm/blob/main/charts/prefect-agent/templates/agent/serviceaccount.yaml>

HI Sam, - there are options to set the namespace either at the cli when you install the helm chart with `--namespace` , or through exporting and adding.
This sets the global namespace for all config files in the chart

image.png

Here’s an example of a fresh deployment with that chart.

also, in case <https://github.com/PrefectHQ/prefect-helm/issues/24|this issue> is a source of confusion - we are tracking it and we'll be making other ease-of-use changes over time

Perfect that last article was exactly what I needed. Thank you