You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/12/22 21:37:47 UTC
[GitHub] [airflow] fritzb opened a new issue #13264: pods/log role is needed for webserver k8s serviceaccount
fritzb opened a new issue #13264:
URL: https://github.com/apache/airflow/issues/13264
**Apache Airflow version**: 1.10.14, 2.0.0
**Kubernetes version (if you are using kubernetes)** (use `kubectl version`): 1.18
**Environment**: AWS EKS, Kubernetes Executor, KubernetesPodOperator task
- **Cloud provider or hardware configuration**:
- **OS** (e.g. from /etc/os-release): Linux
- **Kernel** (e.g. `uname -a`):
- **Install tools**:
- **Others**:
**What happened**:
After upgrading to Airflow 1.10.14 with v1-10-stable chart, I'm seeing error message when I clicked on view tasks' log while the task is running. Note that Airflow remote s3 logging is configured, and task is KubernetesPodOperator
```
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '8526c27e-0818-40d5-8624-81379dcc369e', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Tue, 22 Dec 2020 03:12:12 GMT', 'Content-Length': '420'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \\"examplespodtask-6a747c58e60d490d95f2a519c88bf44c\\" is forbidden: User \\"system:serviceaccount:analytics:analytics-airflow-webserver\\" cannot get resource \\"pods/log\\" in API group \\"\\" in the namespace \\"analytics\\"","reason":"Forbidden","details":{"name":"examplespodtask-6a747c58e60d490d95f2a519c88bf44c","kind":"pods"},"code":403}\n'
```
```
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: analytics-airflow-pod-launcher-rolebinding
labels:
tier: airflow
release: analytics-airflow
chart: "airflow-1.0.0"
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: analytics-airflow-pod-launcher-role
subjects:
- kind: ServiceAccount
name: analytics-airflow-scheduler
- kind: ServiceAccount
name: analytics-airflow-worker
```
**What you expected to happen**:
My observation without reading the airflow code as follow: until full logs are completed and uploaded to S3, the webserver will try to get the log from the active running pods logs via kubernetes api and it requires role which has access to pods/log resources
**How to reproduce it**:
Use Helm chart from (https://github.com/apache/airflow/tree/master/chart).
Click view logs while the task (KubernetesPodOperator) is running
**Anything else we need to know**:
@pgagnon suggested the following role. Perhaps the official helm chart can be modified to include pod logs role below:
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: analytics
name: analytics-airflow-pod-logs-role
rules:
- apiGroups: [""]
resources: ["pods/log", "pods/status"]
verbs: ["get", "watch", "list"]
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #13264: pods/log role is needed for webserver k8s serviceaccount
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #13264:
URL: https://github.com/apache/airflow/issues/13264#issuecomment-749787307
Thanks for opening your first issue here! Be sure to follow the issue template!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj closed issue #13264: pods/log role is needed for webserver k8s serviceaccount
Posted by GitBox <gi...@apache.org>.
mik-laj closed issue #13264:
URL: https://github.com/apache/airflow/issues/13264
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #13264: pods/log role is needed for webserver k8s serviceaccount
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #13264:
URL: https://github.com/apache/airflow/issues/13264#issuecomment-749789656
Duplicate: https://github.com/apache/airflow/pull/11729
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org