Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add rbac.serviceaccounts value #871

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add rbac.serviceaccounts value #871

wants to merge 1 commit into from

Conversation

fllaca
Copy link

@fllaca fllaca commented Jul 1, 2024
edited
Loading

What issues does your PR fix?

Fixes dags that use the KubernetesPodOperator setting service_account_name argument to a custom service account other than Airflow's:

[2024-07-01, 11:16:27 UTC] {pod.py:1107} INFO - Building pod REDACTED with labels: {'dag_id': '32.02-AgentIngest', 'task_id': 'REDACTED', 'run_id': 'scheduled__2024-07-01T1000000000-03129e074', 'kubernetes_pod_operator': 'True', 'try_number': '2'}
[2024-07-01, 11:16:28 UTC] {base.py:84} INFO - Using connection ID 'kubernetes_default' for task execution.
[2024-07-01, 11:16:28 UTC] {pod_manager.py:334} ERROR - Exception when attempting to create Namespaced Pod: {   "apiVersion": "v1",   "kind": "Pod",   [...REDACTED...]  "serviceAccountName": "mysa",     "tolerations": [],     "volumes": []   } }
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.10/site-packages/airflow/providers/cncf/kubernetes/utils/pod_manager.py", line 329, in run_pod_async
    resp = self._client.create_namespaced_pod(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 7356, in create_namespaced_pod
    return self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)  # noqa: E501
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 7455, in create_namespaced_pod_with_http_info
    return self.api_client.call_api(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 348, in call_api
    return self.__call_api(resource_path, method,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
    response_data = self.request(
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 391, in request
    return self.rest_client.POST(url,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/rest.py", line 279, in POST
    return self.request("POST", url,
  File "/home/airflow/.local/lib/python3.10/site-packages/kubernetes/client/rest.py", line 238, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'd28ba1ed-88b3-4d23-b564-57833dad63d5', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': 'd8c1c6ea-5cae-4996-8995-669952a8f74a', 'X-Kubernetes-Pf-Prioritylevel-Uid': '35d5696a-251b-4647-8347-fb0f98fea966', 'Date': 'Mon, 01 Jul 2024 11:16:28 GMT', 'Content-Length': '311'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"REDACTED\" is forbidden: error looking up service account dev/mysa: serviceaccount \"mysa\" not found","reason":"Forbidden","details":{"name":"REDACTED","kind":"pods"},"code":403}

NOTE: HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"REDACTED\" is forbidden: error looking up service account dev/mysa: serviceaccount \"mysa\" not found","reason":"Forbidden","details":{"name":"REDACTED","kind":"pods"},"code":403}

What does your PR do?

Adds a rbac.serviceaccounts value to allow Airflow's to get/list serviceaccounts

Checklist

For all Pull Requests

For releasing ONLY

@fllaca fllaca requested a review from thesuperzapper as a code owner July 1, 2024 13:24
@stale Stale
Copy link

stale bot commented Jan 31, 2025

This issue has been automatically marked as stale because it has not had activity in 60 days.
It will be closed in 7 days if no further activity occurs.

Thank you for your contributions.

Issues never become stale if any of the following is true:

  1. they are added to a Project
  2. they are added to a Milestone
  3. they have the lifecycle/frozen label

@stale stale bot added the lifecycle/stale lifecycle - this is stale label Jan 31, 2025
@fllaca
Copy link
Author

fllaca commented Feb 1, 2025

hi @thesuperzapper , I think this little feat is still valuable, could you please have a look?

@stale stale bot removed the lifecycle/stale lifecycle - this is stale label Feb 1, 2025
@alvarogaroconstella
Copy link

I am facing the same issue and I think this is important too because It's very difficult to configure this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thesuperzapper thesuperzapper Awaiting requested review from thesuperzapper thesuperzapper is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fllaca @alvarogaroconstella