[GitHub] [airflow] der-eismann opened a new issue, #31356: Scheduler RoleBinding uses wrong namespace for ServiceAccount and fails to start

Wed, 17 May 2023 06:18:13 -0700 


der-eismann opened a new issue, #31356:
URL: https://github.com/apache/airflow/issues/31356

   ### Official Helm Chart version
   
   1.9.0 (latest released)
   
   ### Apache Airflow version
   
   2.6.1
   
   ### Kubernetes Version
   
   1.26.3
   
   ### Helm Chart configuration
   
   ```yaml
   executor: "KubernetesExecutor"
   airflowVersion: "2.6.1"
   defaultAirflowTag: "2.6.1"
   ```
   
   ### Docker Image customizations
   
   ```Dockerfile
   FROM apache/airflow:slim-2.6.1-python3.10
   
   RUN pip install \
       'apache-airflow[cncf.kubernetes]' \
       'apache-airflow[google_auth]' \
       'apache-airflow[statsd]' \
       psycopg2-binary
   ```
   
   ### What happened
   
   As recommended in the docs, I installed the template with `--namespace 
airflow`. However when using the `KubernetesExecutor` I get the following error:
   
   ```
   HTTP response body: 
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
   is forbidden: User 
\"system:serviceaccount:default:apache-airflow-scheduler\" cannot list resource 
\"pods\"
   in API group \"\" in the namespace 
\"airflow\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
   ```
   
   I believe that happens because the [scheduler 
Deployment](https://github.com/apache/airflow/blob/main/chart/templates/scheduler/scheduler-deployment.yaml)
 is running in the `default` namespace, as is [its 
ServiceAccount](https://github.com/apache/airflow/blob/main/chart/templates/scheduler/scheduler-serviceaccount.yaml).
 However in the pod-launcher RoleBinding, the [scheduler ServiceAccount in the 
`airflow` 
namespace](https://github.com/apache/airflow/blob/main/chart/templates/rbac/pod-launcher-rolebinding.yaml#L55-L57)
 (which doesn't exist) is referenced. So the actual ServiceAccount, that the 
scheduler is using, doesn't have any permissions.
   
   ### What you think should happen instead
   
   The scheduler pod should be able to list all pods in the airflow namespace 
since the ServiceAccount should allow it to
   
   ### How to reproduce
   
   Follow the official [docs for the Helm 
template](https://airflow.apache.org/docs/helm-chart/1.9.0/#installing-the-chart)
 & use the `KubernetesExecutor`
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to