Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

Hm… seems like PodTemplate shouldn’t use the same ServiceAccount as Propeller itself… <https://github.com/flyteorg/flyte/blob/95a083fc31d01951983a2fe223646a7b6a3b6a01/charts/flyte-core/templates/propeller/manager.yaml#L52> (User task Pods should use a different ServiceAccount+IAM Role than Propellor does.)

I guess the only way to control that is via the cluster resource manager “templates”? That or separately creating an additional PodTemplate in every namespace?

Is there any documentation about how the cluster_resources and templates work? Like, how do I use it to change something which doesn’t have a predictable name (specifically, the user task Pods)?

<@U057E7YS7PG> firstly welcome to the community- having a hard time following. Cc <@U029U35LRDJ> 

<@U057E7YS7PG> can you expand on this?

The `PodTemplate` that is linked is for <https://docs.flyte.org/en/latest/deployment/configuration/performance.html#automatic-scale-out|propeller manager>. Basically, in large-scale scenarios it may be beneficial to have multiple propeller instances and shard the workflows between them. So the service account here is for each of the managed propeller instances.

Are you looking for the <https://docs.flyte.org/en/latest/deployment/configuration/general.html#using-default-k8s-podtemplates|default PodTemplate work>? This allows Flyte to use a pre-defined `PodTemplate`as the base for all k8s tasks. We have extended this work quite a bit to <https://github.com/flyteorg/flyte/issues/3123|allow PodTemplates per task> - (<https://github.com/flyteorg/flyte/pull/3391|official docs are currently incomplete>).

Ah, I see now that it’s different from Helm’s `configmap.core.manager.pod-template-name` … that one is under `configmap.k8s.default-pod-template-name` I guess? Gotcha, so user tasks do use “default” ServiceAccount. My mistake, I wasn’t seeing how the Helm values map to the stuff in the docs.

I assume Flyte automatically creates/customizes new Service Accounts in namespaces it dynamically creates, since I see the “default” one being customized in the templates? What if I want it to automatically create/use a ServiceAccount with a different name? Is that possible?