You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Parhy (Jira)" <ji...@apache.org> on 2020/02/13 20:59:00 UTC

[jira] [Created] (AIRFLOW-6798) Add option for service account values for KubernetesPodOperator

Parhy created AIRFLOW-6798:
------------------------------

             Summary: Add option for service account values for KubernetesPodOperator
                 Key: AIRFLOW-6798
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-6798
             Project: Apache Airflow
          Issue Type: Bug
          Components: contrib
    Affects Versions: 1.10.3
         Environment: dev
            Reporter: Parhy


I am trying to run  the below dag in a k8s environment.

 

from airflow import DAG
from datetime import datetime, timedelta
from airflow.contrib.operators.kubernetes_pod_operator import KubernetesPodOperator
from airflow import configuration as conf
from airflow.contrib.kubernetes.pod import Resources

default_args = {
 'owner': 'airflow',
 'depends_on_past': False,
 'start_date': datetime(2019, 1, 1),
 'email_on_failure': False,
 'email_on_retry': False,
 'retries': 1,
 'retry_delay': timedelta(minutes=5),
}

namespace = conf.get('kubernetes', 'namespace')

# This will detect the default namespace locally and read the
# environment namespace when deployed to Astronomer.
dag = DAG('example_kubernetes_pod',
 schedule_interval='@once',
 default_args=default_args)

compute_resource = Resources()
compute_resource.request_cpu = '5000m'
compute_resource.request_memory = '512Mi'
compute_resource.limit_cpu = '800m'
compute_resource.limit_memory = '1Gi'

#compute_resource = \{'request_cpu': '500m', 'request_memory': '512Mi', 'limit_cpu': '800m', 'limit_memory': '1Gi'}

with dag:
 k = KubernetesPodOperator(
 namespace=namespace,
 image="hello-world",
 labels=\{"foo": "bar"},
 name="airflow-test-pod",
 task_id="task-one",
 in_cluster=False, # if set to true, will look in the cluster, if false, looks for file
 resources=compute_resource,
 config_file=None,
 is_delete_pod_operator=True,
 get_logs=True)

 

I am getting the below error 

 

HTTP response headers: HTTPHeaderDict(\{'Audit-Id': 'xxxxx', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Thu, 13 Feb 2020 17:00:11 GMT', 'Content-Length': '276'})
HTTP response body: \{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:xxx:default\" cannot create resource \"pods\" in API group \"\" in the namespace \"xxx\"","reason":"Forbidden","details":\{"kind":"pods"},"code":403}

 

I understand its trying to use the default serviceaccount in my namespace and default don't have permission to create pod.

Can we pass the name of the serviceaccount which I created which has permission to do so.

Please let me know. 

 

KubernetesExecutor is working fine as in that case the scheduler pod is added with the service account which has permission through rolebinding to create the pod.

 

Thanks in advance,



--
This message was sent by Atlassian Jira
(v8.3.4#803005)