Joshua Greenhalgh
03/24/2022, 12:28 PMjobs.batch is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"prefect\"
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: prefect-agent
name: prefect-agent
spec:
replicas: 1
selector:
matchLabels:
app: prefect-agent
template:
metadata:
labels:
app: prefect-agent
spec:
containers:
- args:
- prefect agent kubernetes start
command:
- /bin/bash
- -c
env:
- name: PREFECT__CLOUD__AGENT__AUTH_TOKEN
value: <MY_KEY>
- name: PREFECT__CLOUD__API
value: <https://api.prefect.io>
- name: NAMESPACE
value: prefect
- name: IMAGE_PULL_SECRETS
value: ''
- name: PREFECT__CLOUD__AGENT__LABELS
value: '[''test'']'
- name: JOB_MEM_REQUEST
value: ''
- name: JOB_MEM_LIMIT
value: ''
- name: JOB_CPU_REQUEST
value: ''
- name: JOB_CPU_LIMIT
value: ''
- name: IMAGE_PULL_POLICY
value: ''
- name: SERVICE_ACCOUNT_NAME
value: ''
- name: PREFECT__BACKEND
value: cloud
- name: PREFECT__CLOUD__AGENT__AGENT_ADDRESS
value: http://:8080
- name: PREFECT__CLOUD__API_KEY
value: <MY_KEY>
- name: PREFECT__CLOUD__TENANT_ID
value: ''
image: prefecthq/prefect:1.1.0-python3.7
imagePullPolicy: Always
livenessProbe:
failureThreshold: 2
httpGet:
path: /api/health
port: 8080
initialDelaySeconds: 40
periodSeconds: 40
name: agent
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: Role
metadata:
name: prefect-agent-rbac
namespace: prefect
rules:
- apiGroups:
- batch
- extensions
resources:
- jobs
verbs:
- '*'
- apiGroups:
- ''
resources:
- events
- pods
verbs:
- '*'
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: RoleBinding
metadata:
name: prefect-agent-rbac
namespace: prefect
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: Role
name: prefect-agent-rbac
subjects:
- kind: ServiceAccount
name: default
Jason Bertman
03/24/2022, 12:29 PMJoshua Greenhalgh
03/24/2022, 12:31 PMprefecthq/prefect:1.1.0-python3.7
in my config (the default) perhaps this is not the most recent?Anna Geller
03/24/2022, 1:48 PMlatest
tag, it's always the lowest supported version of Python (currently Python 3.7) and the latest Prefect release which as of now is 1.1.0Matthias
03/24/2022, 2:23 PMJoshua Greenhalgh
03/24/2022, 2:37 PMMatthias
03/24/2022, 2:39 PMprefect
exist in your cluster?Joshua Greenhalgh
03/24/2022, 2:54 PM(prefect-k8s) ➜ prefect-k8s kubectl get ns
NAME STATUS AGE
default Active 3h14m
kube-node-lease Active 3h14m
kube-public Active 3h14m
kube-system Active 3h14m
prefect Active 165m
--namespace
flag would provide config that created agent and rbac to work in that namespace but it seems to merely control the namespace that the jobs would run...Anna Geller
03/24/2022, 3:32 PMMatthias
03/24/2022, 3:38 PM