Samay Kapadia
01/19/2022, 8:59 AM{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "jobs.batch \"dummy\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"jobs/status\" in API group \"batch\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "dummy",
"group": "batch",
"kind": "jobs"
},
"code": 403
}
For context, I’ve applied the yaml from prefect agent kubernetes install --rbac
so all the permissions should work in theory. I'm stuck at what could be wrong*
instead of jobs
, so there is something fishy goign onAnna Geller
*
, I think this makes sense because the task does multiple things:
• it creates namespaced job
• it then reads job status to check on it
• finally it lists pods to get the exact pod name to read its logs and to delete it in the end
So the job status permission was missing, which explains why it works when you use wildcard instead.Samay Kapadia
01/19/2022, 11:47 AM*
, so adding job status should work?prefect agent kubernetes install --rbac
should be amended to fix thisAnna Geller
Samay Kapadia
01/19/2022, 11:49 AMAnna Geller
Samay Kapadia
01/19/2022, 11:57 AMjobs/status
as a resource in the role definitionrules:
- verbs:
- '*'
apiGroups:
- extensions
- batch
resources:
- jobs/status
- jobs
- verbs:
- '*'
apiGroups:
- ''
resources:
- events
- pods
Anna Geller