Hi All, I am seeing this error when I am trying to...
# ask-the-communitya
Abhinay Dronavally
05/24/2023, 9:43 AMHi All, I am seeing this error when I am trying to run flyte on k8s. What am I missing?
Copy code
{"json":{},"level":"warning","msg":"Failed to create cluster resources for namespace [flytesnacks-development] with err: Failed to read config template dir [flytesnacks-development] for namespace [] with err: open : no such file or directory","ts":"2023-05-24T09:40:15Z"}
{"json":{},"level":"warning","msg":"Failed to create cluster resources for namespace [flytesnacks-staging] with err: Failed to read config template dir [flytesnacks-staging] for namespace [] with err: open : no such file or directory","ts":"2023-05-24T09:40:15Z"}
{"json":{},"level":"warning","msg":"Failed to create cluster resources for namespace [flytesnacks-production] with err: Failed to read config template dir [flytesnacks-production] for namespace [] with err: open : no such file or directory","ts":"2023-05-24T09:40:15Z"}
{"json":{},"level":"warning","msg":"Failed cluster resource creation loop with: Failed to read config template dir [flytesnacks-development] for namespace [] with err: open : no such file or directory, Failed to read config template dir [flytesnacks-staging] for namespace [] with err: open : no such file or directory, Failed to read config template dir [flytesnacks-production] for namespace [] with err: open : no such file or directory","ts":"2023-05-24T09:40:15Z"}
{"json":{},"level":"error","msg":"Failed to initialize certificates for Secrets Webhook. client rate limiter Wait returned an error: context canceled","ts":"2023-05-24T09:40:20Z"}
{"json":{},"level":"panic","msg":"Failed to start Propeller, err: failed to create FlyteWorkflow CRD: <http://customresourcedefinitions.apiextensions.k8s.io|customresourcedefinitions.apiextensions.k8s.io> is forbidden: User \"system:serviceaccount:test-apps:test-flyte-role\" cannot create resource \"customresourcedefinitions\" in API group \"<http://apiextensions.k8s.io|apiextensions.k8s.io>\" at the cluster scope","ts":"2023-05-24T09:40:20Z"}s
shanthi vardhan komera
05/24/2023, 1:15 PM@Ketan (kumare3) @Samhita Alla any help in this regard is highly appreciated.
k
Ketan (kumare3)
05/24/2023, 2:33 PM
Permissions seem to be wrong. How did you deploy
a
Abhinay Dronavally
05/24/2023, 2:46 PMWe deployed single binary on Kubernetes. Using Service account role.
d
David Espejo (he/him)
05/24/2023, 3:01 PM@Abhinay Dronavally I've seen this error a couple of times, especially on EKS environments when there are mismatches in IRSA config
What's your K8s environment?
a
Abhinay Dronavally
05/24/2023, 4:02 PMWe are running Kubernetes on EKS cluster, with service account config like this
Copy code
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: "test-role"Abhinay Dronavally
05/24/2023, 4:02 PMThis role has write access to S3, and EKS cluster.
d
David Espejo (he/him)
05/24/2023, 4:06 PMcan you
kubectl get sa -n <your-namespace>kubectl describe sa <service-account-name> -n <your-namespace>David Espejo (he/him)
05/24/2023, 4:07 PMthe role should be an IAM role and the annotation should include the full ARN
a
Abhinay Dronavally
05/24/2023, 5:07 PM Copy code
Name: flyte-role
Namespace: flyte
Labels: <http://app.kubernetes.io/cluster=flyte-eks|app.kubernetes.io/cluster=flyte-eks>
<http://app.kubernetes.io/instance=flyte|app.kubernetes.io/instance=flyte>
<http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
<http://app.kubernetes.io/name=flyte|app.kubernetes.io/name=flyte>
<http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
<http://helm.sh/chart=flyte-0.1.0|helm.sh/chart=flyte-0.1.0>
Annotations: <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: <EKS_ARN> <http://eks.amazonaws.com/sts-regional-endpoints|eks.amazonaws.com/sts-regional-endpoints>: true
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>Abhinay Dronavally
05/24/2023, 5:07 PM@David Espejo (he/him)
Abhinay Dronavally
05/24/2023, 5:14 PMWhy is it trying to add group to
<http://flyte.lyft.com|flyte.lyft.com> Copy code
v0.24.1/tools/cache/reflector.go:167: failed to list *v1alpha1.FlyteWorkflow: <http://flyteworkflows.flyte.lyft.com|flyteworkflows.flyte.lyft.com> is forbidden: User "system:serviceaccount:flyte:flyte-role" cannot list resource "flyteworkflows" in API group "<http://flyte.lyft.com|flyte.lyft.com>" at the cluster scopeAbhinay Dronavally
05/24/2023, 5:15 PM Copy code
pkg/mod/k8s.io/client-go@v0.24.1/tools/cache/reflector.go:167: failed to list *v1alpha1.FlyteWorkflow: <http://flyteworkflows.flyte.lyft.com|flyteworkflows.flyte.lyft.com> is forbidden: User "system:serviceaccount:flyte:flyte-role" cannot list resource "flyteworkflows" in API group "<http://flyte.lyft.com|flyte.lyft.com>" at the cluster scoped
David Espejo (he/him)
05/24/2023, 6:02 PMflyte.lyftDavid Espejo (he/him)
05/24/2023, 6:03 PMcan you
aws iam get-role --role-name <YOUR_IAM_ROLE --query Role.AssumeRolePolicyDocument559 Views