Hello all Which variable should I set on my `value...
# ask-the-community
v
Hello all Which variable should I set on my
values.yaml
to change the default service account? I have tried
k8sServiceAccount
but it is not working...
@Dan Rammer (hamersaw) it's only this that's keeping me from test the things that we talked about. When I'm running the workflow, instead of using the service account that I've setted on
values.yaml
, it keeps using the default service account...
d
that is the correct key, but probably set at the wrong location. can you show how you're setting it in the
values.yaml
file?
v
Sure! Can I send you the .yaml files in DM?
Or we can schedule a call, if you prefer
cc @Yee correct?
v
Yes, I'm setting here, using
k8sServiceAccount: service_account_name
. Is that correct?
Copy code
flyteadmin:
      roleNameKey: "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>"
      profilerPort: 10254
      metricsScope: "flyte:"
      metadataStoragePrefix:
        - "metadata"
        - "admin"
      eventVersion: 2
      testing:
        host: <http://flyteadmin>
      k8sServiceAccount: service_account_name
d
That should be the correct place. Let me do some testing here quick.
y
what do you mean by default service account?
the one that the users uses or the one that flyte uses?
v
The one that flyte uses
y
and you’re on the flyte/flyte-core helm chart?
v
When I launch a workflow, instead of
default
, I wanted to use
service_account_name
(just a name)
Yup, using flyte-core helm chart
y
so you want to change the one that users use
v
Ow, right! Sorry, yes
those values get sent to the template here
v
Yeah, I've tried it, but with no success I've tried this too:
Copy code
- key: aab_default_service_account
      value: |
        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: flytepropeller
          namespace: {{ namespace }}
          annotations:
            # Needed for gcp workload identity to function
            # <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
            <http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: {{ gsa }}
y
what happens?
v
It is still using the default service account
y
why is the name “flytepropeller”?
user pods should use the default one
v
It was the name setted previously for the service account by a previous engineer, and I cannot change it...
I cannot change because things can get messy if I do
Is this service account that I need to change
In the previous version, it was automatically setted by
k8sServiceAccount
y
you can always check to see if the cluster resource controller is doing the right thing by creating a new project in flyte admin
when the cluster resource controller runs next it’ll create new namespaces, along with the service account
yeah that’s the user service account.
v
I've just created a new project, uploaded the workflow, and got the same results
y
can you check the definition of the service account? just to make sure the cluster creation side is working.
https://github.com/flyteorg/flyteadmin/pull/566 thank you @Dan Rammer (hamersaw) who found the issue
we’ll be cutting a patch release on monday
can you set the service account using matchable resources for now?
on the project level?
v
Wow, so it has a issue? Cool
What do you mean by use matchable resources?
y
Docs here, basically make a file that looks like
Copy code
project: flytesnacks
# domain: development
security_context:
  run_as:
    k8s_service_account: myserviceaccount
(can uncomment the domain too if you want) and then run
Copy code
flytectl -c ~/.flyte/yourconfig.yaml upd
ate workflow-execution-config --attrFile yourfile.yaml
then you can see it here
Copy code
<http://localhost:30080/api/v1/project_attributes/flytesnacks?resource_type=6>
replacing your domain ofc. The
6
corresponds to the matchable type. If you uncomment the domain you’ll need to hit
api/v1/project_domain_attributes
and post-pend with the domain in the url. these endpoints should already be called by the frontend as well so they should show up on the project page to confirm they’ve been set correctly
v
Alright, I was setting the service account manually. Will do this instead. Thanks a lot you guys!
Guys, just an update After the newest versions in core versions, the service account is been setted the right way Thank you guys for this fast solution!
a
Hey! I just encountered the same issue. Can I please ask which chart version are you using? @Victor Gustavo da Silva Oliveira
@Yee I’m also trying to configure the default service account for users (I deployed flyte chart on GKE). Except for the
cluster_resource_manager
(which I attached), should I configure something more? In the
config.yaml
for pyflyte or in the
values.yaml
of the chart? It’s not documented straight forward…
Copy code
cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - devleopment:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - gsa:
              value: flyte@project_name.iam.gserviceaccount.com
        - staging:
          - projectQuotaCpu:
              value: "5"
          - projectQuotaMemory:
              value: 4000Mi
          - gsa:
              value: flyte@project_name@retrain-utils.iam.gserviceaccount.com
Thank you!
v
For me, whats worked was updating the components version and setting the
k8sServiceAccount
value
There is an updated values file in flyte repo
a
Where did you set the
k8sServiceAccount
value?
In the values.yaml or the workflow/config?
v
In the values.yaml
In the beginning of this thread, I've posted an snippet
a
Hmm not sure I understand… The error I’m getting from running pyflyte is:
details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
It is clearly not using the defined serviceaccount I configured in the values.yaml (which is
flyte@project_name.iam.gserviceaccount.com
)
v
In the workflow execution instance page, in the console, what service account name is shown?
a
none!
Can you share with me please your configuration for helm values? Maybe I’m missing something…
I got the issue! When using
pyflyte/flytectl
it uses flyteadmin in order to get the gcs bucket. The error I got is:
details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
I use workload identity (Flyte is running on GKE) and the access to the bucket is using a signed url. but this does not work with workload identity! So I created a key.json to the IAM serviceaccount and added an env var called
GCLOUD_OAUTH_CREDS
which contains the path to the key.json file. Then,
pyflyte/flytectl
work perfectly!
104 Views