I am trying to configure a private container registry. What worked for me was to add the imagePullSecret to the service account as described here: https://docs.flyte.org/projects/cookbook/en/latest/auto/core/containerization/private_images.html It works when I add the imagePullSecret to the project-specific service account. However, I want to use a global (flyte-wide) service account instead so that I do not have to patch the service account on the cluster for every new Flyte project. I tried using the --k8sServiceAccount parameter with flytectl register. However, it always preprends the project-specific service account. E.g. if I set '--k8sServiceAccount flyte-backend-flyte-binary', then Flyte reports
''[1/1] currentAttempt done. Last Error: USER::pods "apqwf5zfxrj8sbpnlhtv-n0-0" is forbidden: error looking up service account flyte-poc-development/flyte-backend-flyte-binary: serviceaccount "flyte-backend-flyte-binary" not found"
i.e., Flyte preprends the project-specific service account to my custom servicer account and, consequently, cannot find it.
Is there a way to get this done with --k8sServiceAccount? Or will I have to use custom pod templates?
03/14/2023, 4:52 AM
Hi @Lukas Bommes! As per my understanding, service account is namespaced. So a project-domain namespace has to have a service account. For that reason, when you send a service account to
, it checks if the service account exists in the given project-domain.