jvaesteves opened a new issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name URL: https://github.com/apache/airflow/issues/8039 **Apache Airflow version**: 1.10.9 **Kubernetes version (if you are using kubernetes)**: client v1.17.2 | server v1.15.10-eks-bac369 **Environment**: production - **Cloud provider or hardware configuration**: AWS - **OS** (e.g. from /etc/os-release): Amazon Linux 2 - **Kernel** (e.g. `uname -a`): Linux 0 4.14.138 - **Install tools**: pip - **Others**: aws-iam-authenticator **What happened**: When I deploy the Airflow pod on my cluster, using attaching AWS credentials to the pod via secrets, on my entrypoint script, I run `aws eks update-kubeconfig` to generate a kubeconfig file for it. The credential only has access to the **airflow** namespace, where every operation that it performs takes place. I executed a `kubectl run --image worker-image test` just to be sure that this user has pod creation privillege. But when I run the KubernetesPodOperator as follows, the client accuses Forbidden error: ```python KubernetesPodOperator( task_id='task_name', dag=dag, name='worker-pod-nane', namespace="airflow", image="worker-image", image_pull_policy="Always", cmds=['python'], arguments=['task.py'], ) ``` Error: ```javascript HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:airflow:default\" cannot create resource \"pods\" in API group \"\" in the namespace \"airflow\"","reason":"Forbidden","details":{"kind":"pods"},"code":403} ``` To mitigate this error, I created an **airflow** ServiceAccount with full-access to the namespace and added as a parameter `service_account_name` to the operator but the error was still the same, ignoring the new user name that I used. **What you expected to happen**: I wanted the operator to create a pod on the namespace using its AWS credentials instead of the defaullt service account. If it is not possible, I want to know why it is ignoring new serviceaccount that I passed as a parameter to the operator.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services