Hm seems like PodTemplate shouldn t use the same ServiceAcco

Question

Hm seems like PodTemplate shouldn t use the same ServiceAccount as Propeller itself <https github com flyteorg flyte blob 95a083fc31d01951983a2fe223646a7b6a3b6a01 charts flyte core templates propeller manager yaml L52> User task Pods should use a different ServiceAccount+IAM Role than Propellor does I guess the only way to control that is via the cluster resource manager templates That or separately creating an additional PodTemplate in every namespace

Shannon Carey · Answer

Is there any documentation about how the cluster resources and templates work Like how do I use it to change something which doesn t have a predictable name specifically the user task Pods

Ketan (kumare3) · Answer

< Shannon Carey> firstly welcome to the community having a hard time following Cc < Dan Rammer hamersaw >

Ketan (kumare3) · Answer

Hey Shannon let me DM you too

Dan Rammer (hamersaw) · Answer

< Shannon Carey> can you expand on this The `PodTemplate` that is linked is for Basically in large scale scenarios it may be beneficial to have multiple propeller instances and shard the workflows between them So the service account here is for each of the managed propeller instances Are you looking for the This allows Flyte to use a pre defined `PodTemplate`as the base for all k8s tasks We have extended this work quite a bit to

Shannon Carey · Answer

Ah I see now that it s different from Helm s `configmap core manager pod template name` that one is under `configmap k8s default pod template name` I guess Gotcha so user tasks do use default ServiceAccount My mistake I wasn t seeing how the Helm values map to the stuff in the docs

Shannon Carey · Answer

I assume Flyte automatically creates customizes new Service Accounts in namespaces it dynamically creates since I see the default one being customized in the templates What if I want it to automatically create use a ServiceAccount with a different name Is that possible