[GitHub] [airflow] jvaesteves opened a new issue #8039: KubernetesPodOperator on EKS ignores both user on kubeconfig and service_account_name

Tue, 31 Mar 2020 17:12:39 -0700 

jvaesteves opened a new issue #8039: KubernetesPodOperator on EKS ignores both 
user on kubeconfig and service_account_name
URL: https://github.com/apache/airflow/issues/8039
 
 
   **Apache Airflow version**: 1.10.9
   
   **Kubernetes version (if you are using kubernetes)**: client v1.17.2 | 
server v1.15.10-eks-bac369
   
   **Environment**: production
   
   - **Cloud provider or hardware configuration**: AWS
   - **OS** (e.g. from /etc/os-release): Amazon Linux 2
   - **Kernel** (e.g. `uname -a`): Linux 0 4.14.138
   - **Install tools**: pip
   - **Others**: aws-iam-authenticator
   **What happened**:
   
   When I deploy the Airflow pod on my cluster, using attaching AWS credentials 
to the pod via secrets, on my entrypoint script, I run `aws eks 
update-kubeconfig`  to generate a kubeconfig file for it.
   
   The credential only has access to the **airflow** namespace, where every 
operation that it performs takes place. I executed a `kubectl run --image 
worker-image test` just to be sure that this user has pod creation privillege.
   
   But when I run the KubernetesPodOperator as follows, the client accuses 
Forbidden error:
   
   ```python
   KubernetesPodOperator(
       task_id='task_name',
       dag=dag,
       name='worker-pod-nane',
       namespace="airflow",
       image="worker-image",
       image_pull_policy="Always",
       cmds=['python'],
       arguments=['task.py'], 
   )
   ```
   
   Error: 
   ```javascript
   HTTP response body: 
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
 is forbidden: User \"system:serviceaccount:airflow:default\" cannot create 
resource \"pods\" in API group \"\" in the namespace 
\"airflow\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
   ```
   
   To mitigate this error, I created an **airflow** ServiceAccount with 
full-access to the namespace and added as a parameter `service_account_name` to 
the operator but the error was still the same, ignoring the new user name that 
I used.
   
   **What you expected to happen**:
   
   I wanted the operator to create a pod on the namespace using its AWS 
credentials instead of the defaullt service account. If it is not possible, I 
want to know why it is ignoring new serviceaccount that I passed as a parameter 
to the operator.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to