Hi prefects. I’m trying to execute a RunNamespacedJob task in my kubernetes setup but I’m running into this error

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "jobs.batch \"dummy\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"jobs/status\" in API group \"batch\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "dummy",
    "group": "batch",
    "kind": "jobs"
  },
  "code": 403
}

For context, I’ve applied the yaml from

prefect agent kubernetes install --rbac

so all the permissions should work in theory. I'm stuck at what could be wrong

Nice work figuring this out! Regarding

*

, I think this makes sense because the task does multiple things: • it creates namespaced job • it then reads job status to check on it • finally it lists pods to get the exact pod name to read its logs and to delete it in the end So the job status permission was missing, which explains why it works when you use wildcard instead.

Ah okay

Yeah, you can check the code I shared and see there all the API action this task does. Reading logs + deleting a job may need another entries

Thanks Anna! Let me see if this works

The default RBAC only provides permissions to spin up flow runs as kubernetes jobs, it doesn’t provide permissions for other Kubernetes tasks

Okay it worked when I added

jobs/status

as a resource in the role definition

Thank you so much for sharing! 🙌