benrifkind commented on issue #67261:
URL: https://github.com/apache/airflow/issues/67261#issuecomment-4503569671
@Miretpl
> could you please add the Helm configuration? It can be hard to find an
issue without it, as it is connected to Helm.
For sure. Here's what I have for the workers in values.yaml
```yaml
"workers":
"celery":
"keda":
"enabled": true
"minReplicaCount": 0
"persistence":
"enabled": false
"podAnnotations":
"karpenter.sh/do-not-disrupt": "true"
"replicas": 0
"resources":
"limits":
"cpu": "3"
"memory": "10Gi"
"requests":
"cpu": "2"
"memory": "8Gi"
"serviceAccount":
"name": "worker"
"terminationGracePeriodSeconds": 1800
```
The relevant bit. The service account name is **worker**.
```yaml
"workers":
"celery":
"serviceAccount":
"name": "worker"
```
The airflow-pod-launcher-rolebinding sets its worker subject to
airflow-worker (the chart's default) instead of worker:
```
$> kubectl get rolebinding airflow-pod-launcher-rolebinding -n
airflow-staging -o jsonpath='{.subjects}'
[
{
"kind": "ServiceAccount",
"name": "airflow-worker",
"namespace": "airflow-staging"
},
{
"kind": "ServiceAccount",
"name": "airflow-triggerer",
"namespace": "airflow-staging"
}
]
```
The service account name on the worker deployment is correct
```
$>. kubectl get deployment airflow-worker -o
jsonpath='{.spec.template.spec.serviceAccountName}'
```
This gets me this error when I a k8s task pod runs (via the
`KubernetesPodOperator`)
```
[2026-05-20 17:40:25] ERROR - Task failed with exception
ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id':
'b2b92098-e557-49e6-b1e6-765dca6d4723', 'Cache-Control': 'no-cache, private',
'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff',
'X-Kubernetes-Pf-Flowschema-Uid': '2ebe0f7d-8cbb-4c2d-9851-8f9f32e0007f',
'X-Kubernetes-Pf-Prioritylevel-Uid': '7650eaf2-ef5b-4713-b0df-0abf35cb359f',
'Date': 'Wed, 20 May 2026 23:40:25 GMT', 'Content-Length': '297'})
HTTP response body:
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
is forbidden: User \"system:serviceaccount:airflow-staging:worker\" cannot
list resource \"pods\" in API group \"\" in the namespace
\"airflow-staging\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
File
"/home/airflow/.local/lib/python3.12/site-packages/airflow/sdk/execution_time/task_runner.py",
line 1263 in run
```
This config solves the issue for me. I think the duplication is unnecessary
and I just need the top level serviceAccount key set
```yaml
"workers":
"celery":
"serviceAccount":
"name": "worker"
"serviceAccount":
"name": "worker"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
