Samay Kapadia
01/19/2022, 8:59 AM{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "jobs.batch \"dummy\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"jobs/status\" in API group \"batch\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "dummy",
"group": "batch",
"kind": "jobs"
},
"code": 403
}
For context, I’ve applied the yaml from prefect agent kubernetes install --rbac
so all the permissions should work in theory. I'm stuck at what could be wrongSamay Kapadia
01/19/2022, 9:44 AMSamay Kapadia
01/19/2022, 11:38 AM*
instead of jobs
, so there is something fishy goign onAnna Geller
*
, I think this makes sense because the task does multiple things:
• it creates namespaced job
• it then reads job status to check on it
• finally it lists pods to get the exact pod name to read its logs and to delete it in the end
So the job status permission was missing, which explains why it works when you use wildcard instead.Samay Kapadia
01/19/2022, 11:47 AMSamay Kapadia
01/19/2022, 11:48 AM*
, so adding job status should work?Samay Kapadia
01/19/2022, 11:48 AMprefect agent kubernetes install --rbac
should be amended to fix thisAnna Geller
Samay Kapadia
01/19/2022, 11:49 AMAnna Geller
Samay Kapadia
01/19/2022, 11:57 AMjobs/status
as a resource in the role definitionSamay Kapadia
01/19/2022, 11:57 AMSamay Kapadia
01/19/2022, 11:58 AMrules:
- verbs:
- '*'
apiGroups:
- extensions
- batch
resources:
- jobs/status
- jobs
- verbs:
- '*'
apiGroups:
- ''
resources:
- events
- pods
Anna Geller