Cody Scandore
04/25/2023, 3:42 PMserviceAccount
annotation. I have set create: false
and I am using the EKS cluster service role arn.
serviceAccount:
create: false
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: "arn:aws:iam::<id-redacted>:role/eksctl-flyte-cluster-cluster-ServiceRole"
2023/04/25 15:57:49 /go/pkg/mod/gorm.io/gorm@v1.24.1-0.20221019064659-5dd2bb482755/callbacks.go:134
[3.789ms] [rows:0] CREATE INDEX IF NOT EXISTS "artifacts_dataset_uuid_idx" ON "artifacts" ("dataset_uuid")
{"json":{"src":"start.go:169"},"level":"panic","msg":"Failed to start Propeller, err: failed to create FlyteWorkflow CRD: <http://customresourcedefinitions.apiextensions.k8s.io|customresourcedefinitions.apiextensions.k8s.io> is forbidden: User \"system:serviceaccount:flyte:default\" cannot create resource \"customresourcedefinitions\" in API group \"<http://apiextensions.k8s.io|apiextensions.k8s.io>\" at the cluster scope","ts":"2023-04-25T15:57:54Z"}
panic: (*logrus.Entry) 0xc0008ec540
goroutine 53 [running]:
<http://github.com/sirupsen/logrus.(*Entry).log(0xc0008ec4d0|github.com/sirupsen/logrus.(*Entry).log(0xc0008ec4d0>, 0x0, {0xc010f68d80, 0x117})
/go/pkg/mod/github.com/sirupsen/logrus@v1.8.1/entry.go:259 +0x45b
<http://github.com/sirupsen/logrus.(*Entry).Log(0xc0008ec4d0|github.com/sirupsen/logrus.(*Entry).Log(0xc0008ec4d0>, 0x0, {0xc00121be68?, 0x1?, 0x1?})
/go/pkg/mod/github.com/sirupsen/logrus@v1.8.1/entry.go:293 +0x4f
<http://github.com/sirupsen/logrus.(*Entry).Logf(0xc0008ec4d0|github.com/sirupsen/logrus.(*Entry).Logf(0xc0008ec4d0>, 0x0, {0x305c298?, 0x0?}, {0xc0084d87a0?, 0x0?, 0x0?})
/go/pkg/mod/github.com/sirupsen/logrus@v1.8.1/entry.go:338 +0x85
<http://github.com/sirupsen/logrus.(*Entry).Panicf(0x3e83040|github.com/sirupsen/logrus.(*Entry).Panicf(0x3e83040>?, {0x305c298?, 0x416667?}, {0xc0084d87a0?, 0x29975a0?, 0x1?})
/go/pkg/mod/github.com/sirupsen/logrus@v1.8.1/entry.go:376 +0x34
<http://github.com/flyteorg/flytestdlib/logger.Panicf({0x3e83040|github.com/flyteorg/flytestdlib/logger.Panicf({0x3e83040>?, 0xc000943080?}, {0x305c298, 0x22}, {0xc0084d87a0, 0x1, 0x1})
/go/pkg/mod/github.com/flyteorg/flytestdlib@v1.0.16/logger/logger.go:188 +0x64
<http://github.com/flyteorg/flyte/cmd/single.glob..func4.2()|github.com/flyteorg/flyte/cmd/single.glob..func4.2()>
/flyteorg/build/cmd/single/start.go:169 +0xbe
<http://golang.org/x/sync/errgroup.(*Group).Go.func1()|golang.org/x/sync/errgroup.(*Group).Go.func1()>
/go/pkg/mod/golang.org/x/sync@v0.0.0-20220722155255-886fb9371eb4/errgroup/errgroup.go:75 +0x64
created by <http://golang.org/x/sync/errgroup.(*Group).Go|golang.org/x/sync/errgroup.(*Group).Go>
/go/pkg/mod/golang.org/x/sync@v0.0.0-20220722155255-886fb9371eb4/errgroup/errgroup.go:72 +0xa5
Mike Ossareh
04/25/2023, 4:44 PMeksctl-flyte-cluster-cluster-ServiceRole
annotation needs to be attached to a service account; so create: false
is tripping you up.
The IRSA annotation is needed to inform your pod's AWS credentials; for eg: allowing your flyte propeller, etc, access to s3.
However, the problem you're having is that the default service account you're using doesn't have permissions to create the FlyteWorkflow CRDdefault
shouldn't really be used, and rarely used for a cluster scoped set of permissions since it can lead to privilege escalation.Cody Scandore
04/25/2023, 5:01 PMMike Ossareh
04/25/2023, 5:04 PMdefault
service account; you will also need to annotate it with the IRSA annotation (i.e. `eks.amazonaws.com/role-arn`).Cody Scandore
04/25/2023, 5:05 PMcreate: true
as recommended and it worked beautifully. Thanks again