Update RBAC rules for Airflow Workers
We are getting the following errors [0] while getting Airflow worker to execute a health check on the underlying K8s cluster. This patch set is meant to grant watch/get/list pods rights to the airflow worker so that it can perform health checks on the K8s cluster. [0] Error messages: [2018-01-23 02:51:32,003] {base_task_runner.py:98} INFO - Subtask: HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure", "message":"pods is forbidden: User \"system:serviceaccount:ucp:airflow-worker\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403} Change-Id: Iede29f605b5d508d0e58c0c2ae74d7d040d5b8ea
This commit is contained in:
parent
95784c03ed
commit
4991d8f6ff
|
@ -15,10 +15,41 @@
|
|||
{{- if .Values.manifests.deployment_airflow_worker }}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.airflow_server }}
|
||||
{{- $serviceAccountName := "airflow-worker" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{- $mounts_airflow_worker := .Values.pod.mounts.airflow_worker.airflow_worker }}
|
||||
{{- $mounts_airflow_worker_init := .Values.pod.mounts.airflow_worker.init_container }}
|
||||
{{- $serviceAccountName := "airflow-worker" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: airflow-worker-runner
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
- nodes/proxy
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: run-airflow-worker
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: airflow-worker-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
|
|
Loading…
Reference in New Issue