Leon Kozlowski

    Leon Kozlowski

    9 months ago
    Has anyone ever attached a service account to their agent with helm? I’m getting 403s after attaching a service account - including error message in thread
    "Failure","message":"jobs.batch is forbidden: User \"system:serviceaccount:default:prefect-agent\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403}
    Kevin Kho

    Kevin Kho

    9 months ago
    Did you set the env variable to define the service account?
    - name: SERVICE_ACCOUNT_NAME
      value: ''
    Leon Kozlowski

    Leon Kozlowski

    9 months ago
    is that for the flow or the agent?
    Anna Geller

    Anna Geller

    9 months ago
    for the agent. You can get the full template this way:
    prefect agent kubernetes install >> k8s.yaml
    Leon Kozlowski

    Leon Kozlowski

    9 months ago
    I’m thinking this is more on the k8s side because of this:
    kubectl auth can-i --as=system:serviceaccount:default:prefect-agent create jobs -n default
    this yields
    no
    does that env var just override this:
    subjects:
      - kind: ServiceAccount
        name: default
    in the RoleBinding?
    Kevin Kho

    Kevin Kho

    9 months ago
    Will ask someone who knows more than me
    Leon Kozlowski

    Leon Kozlowski

    9 months ago
    I got it to work (I believe)
    Tyler Wanner

    Tyler Wanner

    9 months ago
    what was the trick?
    Leon Kozlowski

    Leon Kozlowski

    9 months ago
    In my
    rolebinding.yaml
    subjects:
      - kind: ServiceAccount
        name: {{ include "<CHART_NAME>.fullname" . }}
    Removed the 403 error I was getting
    My flow is noop-ing but I’m not exactly sure if its related to this
    Also - the service account is defined in a
    serviceaccount.yaml
    - so it inherits from the chart fullname