Joshua Greenhalgh
03/24/2022, 12:28 PMjobs.batch is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"prefect\"
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: prefect-agent
name: prefect-agent
spec:
replicas: 1
selector:
matchLabels:
app: prefect-agent
template:
metadata:
labels:
app: prefect-agent
spec:
containers:
- args:
- prefect agent kubernetes start
command:
- /bin/bash
- -c
env:
- name: PREFECT__CLOUD__AGENT__AUTH_TOKEN
value: <MY_KEY>
- name: PREFECT__CLOUD__API
value: <https://api.prefect.io>
- name: NAMESPACE
value: prefect
- name: IMAGE_PULL_SECRETS
value: ''
- name: PREFECT__CLOUD__AGENT__LABELS
value: '[''test'']'
- name: JOB_MEM_REQUEST
value: ''
- name: JOB_MEM_LIMIT
value: ''
- name: JOB_CPU_REQUEST
value: ''
- name: JOB_CPU_LIMIT
value: ''
- name: IMAGE_PULL_POLICY
value: ''
- name: SERVICE_ACCOUNT_NAME
value: ''
- name: PREFECT__BACKEND
value: cloud
- name: PREFECT__CLOUD__AGENT__AGENT_ADDRESS
value: http://:8080
- name: PREFECT__CLOUD__API_KEY
value: <MY_KEY>
- name: PREFECT__CLOUD__TENANT_ID
value: ''
image: prefecthq/prefect:1.1.0-python3.7
imagePullPolicy: Always
livenessProbe:
failureThreshold: 2
httpGet:
path: /api/health
port: 8080
initialDelaySeconds: 40
periodSeconds: 40
name: agent
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: Role
metadata:
name: prefect-agent-rbac
namespace: prefect
rules:
- apiGroups:
- batch
- extensions
resources:
- jobs
verbs:
- '*'
- apiGroups:
- ''
resources:
- events
- pods
verbs:
- '*'
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: RoleBinding
metadata:
name: prefect-agent-rbac
namespace: prefect
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: Role
name: prefect-agent-rbac
subjects:
- kind: ServiceAccount
name: default
Jason Bertman
03/24/2022, 12:29 PMJoshua Greenhalgh
03/24/2022, 12:31 PMprefecthq/prefect:1.1.0-python3.7
in my config (the default) perhaps this is not the most recent?Anna Geller
latest
tag, it's always the lowest supported version of Python (currently Python 3.7) and the latest Prefect release which as of now is 1.1.0Matthias
03/24/2022, 2:23 PMJoshua Greenhalgh
03/24/2022, 2:37 PMMatthias
03/24/2022, 2:39 PMprefect
exist in your cluster?Joshua Greenhalgh
03/24/2022, 2:54 PM(prefect-k8s) ➜ prefect-k8s kubectl get ns
NAME STATUS AGE
default Active 3h14m
kube-node-lease Active 3h14m
kube-public Active 3h14m
kube-system Active 3h14m
prefect Active 165m
--namespace
flag would provide config that created agent and rbac to work in that namespace but it seems to merely control the namespace that the jobs would run...Anna Geller
Matthias
03/24/2022, 3:38 PM