Sam Garvis

08/15/2022, 3:15 PM
I am getting the above error when trying to run a flow in Prefect 2.0. I'm in namespace dev-prefect in k8s. The flow logs in the Prefect UI are completely blank. Do I need to make a custom service account in k8s?

Jeff Hale

08/15/2022, 3:25 PM
Hi @Sam Garvis. Could you please move your code to this thread to keep the channel clean?

Sam Garvis

08/15/2022, 3:28 PM
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '548332e2-208f-4cde-9bd6-b6a76b63bc11', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '75bc4772-0e03-4b73-8452-8ae803c4c9db', 'X-Kubernetes-Pf-Prioritylevel-Uid': '33eac375-8a0a-44de-a86b-8769461b5c93', 'Date': 'Mon, 15 Aug 2022 14:51:58 GMT', 'Content-Length': '331'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"system:serviceaccount:dev-prefect:dev-prefect-agent-1\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"dev-prefect\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403}
prefectVersionTag: 2.0.4-python3.10

replicaCount: 4

  repository: samgarvis/prefect20_dockerfile
  tag: latest
  pullPolicy: Always

  ## Optionally specify an array of imagePullSecrets.
  ## Secrets must be manually created in the namespace.
  ## ref: <>
  # pullSecrets:
  #   - myRegistrKeySecretName

  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

  apiUrl: <>

  debugEnabled: true

  # -- Prefect cloud API key
    name: prefect-dev-service-secret
    key: prefect-dev-service-key

securityContext: {}
  # The securityContext this Pod should use. See <> for more.
  # runAsUser: 65534

nodeSelector: {}

affinity: {}

tolerations: []

annotations: {}

resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

podLabels: {}

nameOverride: ""
fullnameOverride: ""
Yes, sorry
:thank-you: 1

Bianca Hoch

08/15/2022, 4:48 PM
Hi Sam, here is a Prefect 1 doc which may help, despite the fact you're using 2.0. You need to add the permissions to run jobs in that namespace

Sam Garvis

08/15/2022, 5:00 PM
Also does there need to be a namespace option here on serviceaccount.yaml Because won't it just create this in the default namespace otherwise?

Christopher Boyd

08/15/2022, 6:42 PM
HI Sam, - there are options to set the namespace either at the cli when you install the helm chart with
, or through exporting and adding. This sets the global namespace for all config files in the chart
Here’s an example of a fresh deployment with that chart.


08/15/2022, 7:49 PM
also, in case this issue is a source of confusion - we are tracking it and we'll be making other ease-of-use changes over time
👍 1

Sam Garvis

08/15/2022, 10:39 PM
Perfect that last article was exactly what I needed. Thank you
👍 1