Victor Gustavo da Silva Oliveira
05/18/2023, 1:15 PMvalues.yaml
to change the default service account? I have tried k8sServiceAccount
but it is not working...values.yaml
, it keeps using the default service account...Dan Rammer (hamersaw)
05/18/2023, 2:45 PMvalues.yaml
file?Victor Gustavo da Silva Oliveira
05/18/2023, 2:47 PMDan Rammer (hamersaw)
05/18/2023, 2:53 PMVictor Gustavo da Silva Oliveira
05/18/2023, 2:55 PMk8sServiceAccount: service_account_name
. Is that correct?flyteadmin:
roleNameKey: "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>"
profilerPort: 10254
metricsScope: "flyte:"
metadataStoragePrefix:
- "metadata"
- "admin"
eventVersion: 2
testing:
host: <http://flyteadmin>
k8sServiceAccount: service_account_name
Dan Rammer (hamersaw)
05/18/2023, 2:58 PMYee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:24 PMYee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:25 PMdefault
, I wanted to use service_account_name
(just a name)Yee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:27 PMYee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:31 PM- key: aab_default_service_account
value: |
apiVersion: v1
kind: ServiceAccount
metadata:
name: flytepropeller
namespace: {{ namespace }}
annotations:
# Needed for gcp workload identity to function
# <https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity>
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: {{ gsa }}
Yee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:32 PMYee
Victor Gustavo da Silva Oliveira
05/18/2023, 4:33 PMk8sServiceAccount
Yee
Victor Gustavo da Silva Oliveira
05/18/2023, 5:03 PMYee
Victor Gustavo da Silva Oliveira
05/18/2023, 7:53 PMYee
project: flytesnacks
# domain: development
security_context:
run_as:
k8s_service_account: myserviceaccount
(can uncomment the domain too if you want) and then run
flytectl -c ~/.flyte/yourconfig.yaml upd
ate workflow-execution-config --attrFile yourfile.yaml
then you can see it here
<http://localhost:30080/api/v1/project_attributes/flytesnacks?resource_type=6>
replacing your domain ofc. The 6
corresponds to the matchable type. If you uncomment the domain you’ll need to hit api/v1/project_domain_attributes
and post-pend with the domain in the url. these endpoints should already be called by the frontend as well so they should show up on the project page to confirm they’ve been set correctlyVictor Gustavo da Silva Oliveira
05/18/2023, 8:06 PMAriel Kaspit
06/01/2023, 4:21 PMcluster_resource_manager
(which I attached), should I configure something more? In the config.yaml
for pyflyte or in the values.yaml
of the chart? It’s not documented straight forward…
cluster_resource_manager:
config:
cluster_resources:
customData:
- devleopment:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: flyte@project_name.iam.gserviceaccount.com
- staging:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: flyte@project_name@retrain-utils.iam.gserviceaccount.com
Thank you!Victor Gustavo da Silva Oliveira
06/01/2023, 4:35 PMk8sServiceAccount
valueAriel Kaspit
06/01/2023, 4:38 PMk8sServiceAccount
value?Victor Gustavo da Silva Oliveira
06/01/2023, 4:40 PMAriel Kaspit
06/01/2023, 5:47 PMdetails: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
It is clearly not using the defined serviceaccount I configured in the values.yaml (which is flyte@project_name.iam.gserviceaccount.com
)Victor Gustavo da Silva Oliveira
06/01/2023, 6:00 PMAriel Kaspit
06/04/2023, 12:09 PMpyflyte/flytectl
it uses flyteadmin in order to get the gcs bucket. The error I got is: details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
I use workload identity (Flyte is running on GKE) and the access to the bucket is using a signed url. but this does not work with workload identity!
So I created a key.json to the IAM serviceaccount and added an env var called GCLOUD_OAUTH_CREDS
which contains the path to the key.json file. Then, pyflyte/flytectl
work perfectly!