You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/04/01 00:12:20 UTC

[GitHub] [airflow] jvaesteves opened a new issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name

jvaesteves opened a new issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name
URL: https://github.com/apache/airflow/issues/8039
 
 
   **Apache Airflow version**: 1.10.9
   
   **Kubernetes version (if you are using kubernetes)**: client v1.17.2 | server v1.15.10-eks-bac369
   
   **Environment**: production
   
   - **Cloud provider or hardware configuration**: AWS
   - **OS** (e.g. from /etc/os-release): Amazon Linux 2
   - **Kernel** (e.g. `uname -a`): Linux 0 4.14.138
   - **Install tools**: pip
   - **Others**: aws-iam-authenticator
   **What happened**:
   
   When I deploy the Airflow pod on my cluster, using attaching AWS credentials to the pod via secrets, on my entrypoint script, I run `aws eks update-kubeconfig`  to generate a kubeconfig file for it.
   
   The credential only has access to the **airflow** namespace, where every operation that it performs takes place. I executed a `kubectl run --image worker-image test` just to be sure that this user has pod creation privillege.
   
   But when I run the KubernetesPodOperator as follows, the client accuses Forbidden error:
   
   ```python
   KubernetesPodOperator(
       task_id='task_name',
       dag=dag,
       name='worker-pod-nane',
       namespace="airflow",
       image="worker-image",
       image_pull_policy="Always",
       cmds=['python'],
       arguments=['task.py'], 
   )
   ```
   
   Error: 
   ```javascript
   HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:airflow:default\" cannot create resource \"pods\" in API group \"\" in the namespace \"airflow\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
   ```
   
   To mitigate this error, I created an **airflow** ServiceAccount with full-access to the namespace and added as a parameter `service_account_name` to the operator but the error was still the same, ignoring the new user name that I used.
   
   **What you expected to happen**:
   
   I wanted the operator to create a pod on the namespace using its AWS credentials instead of the defaullt service account. If it is not possible, I want to know why it is ignoring new serviceaccount that I passed as a parameter to the operator.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] boring-cyborg[bot] commented on issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name
URL: https://github.com/apache/airflow/issues/8039#issuecomment-606953271
 
 
   Thanks for opening your first issue here! Be sure to follow the issue template!
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] jvaesteves closed issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name

Posted by GitBox <gi...@apache.org>.

jvaesteves closed issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name
URL: https://github.com/apache/airflow/issues/8039
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [airflow] jvaesteves commented on issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name

Posted by GitBox <gi...@apache.org>.

jvaesteves commented on issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name
URL: https://github.com/apache/airflow/issues/8039#issuecomment-607315700
 
 
   I figured out what I was doing wrong. By creating a credential with the awscli command, I was unabling the operator to use the proper service account.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services