Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add rbac.serviceaccounts value #871

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

fllaca
Copy link

@fllaca fllaca commented Jul 1, 2024

What issues does your PR fix?

Fixes dags that use the KubernetesPodOperator setting service_account_name argument to a custom service account other than Airflow's:

[2024-07-01, 11:16:27 UTC] {pod.py:1107} INFO - Building pod REDACTED with labels: {'dag_id': '32.02-AgentIngest', 'task_id': 'REDACTED', 'run_id': 'scheduled__2024-07-01T1000000000-03129e074', 'kubernetes_pod_operator': 'True', 'try_number': '2'}
[2024-07-01, 11:16:28 UTC] {base.py:84} INFO - Using connection ID 'kubernetes_default' for task execution.
[2024-07-01, 11:16:28 UTC] {pod_manager.py:334} ERROR - Exception when attempting to create Namespaced Pod: {   "apiVersion": "v1",   "kind": "Pod",   [...REDACTED...]  "serviceAccountName": "mysa",     "tolerations": [],     "volumes": []   } }
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.10/site-packages/airflow/providers/cncf/kubernetes/utils/pod_manager.py", line 329, in run_pod_async
    resp = self._client.create_namespaced_pod(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 7356, in create_namespaced_pod
    return self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)  # noqa: E501
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 7455, in create_namespaced_pod_with_http_info
    return self.api_client.call_api(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 348, in call_api
    return self.__call_api(resource_path, method,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
    response_data = self.request(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 391, in request
    return self.rest_client.POST(url,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/rest.py", line 279, in POST
    return self.request("POST", url,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/rest.py", line 238, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'd28ba1ed-88b3-4d23-b564-57833dad63d5', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': 'd8c1c6ea-5cae-4996-8995-669952a8f74a', 'X-Kubernetes-Pf-Prioritylevel-Uid': '35d5696a-251b-4647-8347-fb0f98fea966', 'Date': 'Mon, 01 Jul 2024 11:16:28 GMT', 'Content-Length': '311'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"REDACTED\" is forbidden: error looking up service account dev/mysa: serviceaccount \"mysa\" not found","reason":"Forbidden","details":{"name":"REDACTED","kind":"pods"},"code":403}

NOTE: HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"REDACTED\" is forbidden: error looking up service account dev/mysa: serviceaccount \"mysa\" not found","reason":"Forbidden","details":{"name":"REDACTED","kind":"pods"},"code":403}

What does your PR do?

Adds a rbac.serviceaccounts value to allow Airflow's to get/list serviceaccounts

Checklist

For all Pull Requests

For releasing ONLY

@fllaca fllaca requested a review from thesuperzapper as a code owner July 1, 2024 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant