elegant-toddler-67101
06/04/2023, 9:40 AMcluster_resource_manager
as documented, but still getting permissions errors. I followed the documentation, specifically in here: https://docs.flyte.org/en/latest/deployment/configuration/general.html#cluster-resources
This is my configuration in `values.yaml`:
configmap:
domain:
domains:
- id: development
name: development
- id: staging
name: staging
namespace_config:
namespace_mapping:
template: "{{ domain }}"
cluster_resource_manager:
config:
cluster_resources:
customData:
- development:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: <mailto:flyte@projectid.iam.gserviceaccount.com|flyte@projectid.iam.gserviceaccount.com>
- staging:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: <mailto:flyte@projectid.iam.gserviceaccount.com|flyte@projectid.iam.gserviceaccount.com>
templates:
- key: aa_namespace
value: |
apiVersion: v1
kind: Namespace
metadata:
name: {{ namespace }}
spec:
finalizers:
- kubernetes
- key: aab_default_service_account
value: |
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: {{ namespace }}
annotations:
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: <mailto:flyte@projectid.iam.gserviceaccount.com|flyte@projectid.iam.gserviceaccount.com>
- key: ab_project_resource_quota
value: |
apiVersion: v1
kind: ResourceQuota
metadata:
name: project-quota
namespace: {{ namespace }}
spec:
hard:
limits.cpu: {{ projectQuotaCpu }}
limits.memory: {{ projectQuotaMemory }}
In console, I don’t see any IAM and serviceaccounts assigned to the project (attached a screenshot).
Using pyflyte
, I’m trying to run the hello-world
workflow (I use the basic workflow just for testing, it’s from flytesnacks/cookbook/core/flyte_basics/hello_world.py
) - and I get 403 Permissions denied. Is there something I need to configure in the workflow itself / in ./flyte/config.yaml
?average-finland-92144
06/05/2023, 3:57 AMkubectl describe cm flyte-clusterresourcesync-config -n <your-flyte-namespace>
There's another way to specify the service account running workflows should use depending on project/domains:
https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_update_workflow-execution-config.html#id1
But it's not the same outcome as doing it from the Helm chartelegant-toddler-67101
06/05/2023, 8:34 AMData
====
domain.yaml:
----
domains:
- id: development
name: development
- id: staging
name: staging
namespace_config.yaml:
----
namespace_mapping:
template: '{{ domain }}'
cluster_resources.yaml:
----
cluster_resources:
customData:
- development:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: <mailto:xxx@projectid.iam.gserviceaccount.com|xxx@projectid.iam.gserviceaccount.com>
- staging:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: <mailto:xxx@projectid.iam.gserviceaccount.com|xxx@projectid.iam.gserviceaccount.com>
refresh: 5m
refreshInterval: 5m
standaloneDeployment: false
templatePath: /etc/flyte/clusterresource/templates
clusters.yaml:
----
clusters:
clusterConfigs: []
labelClusterMap: {}
average-finland-92144
06/06/2023, 6:35 PMdefaultIamRole
cluster_resources:
customData:
- development:
- defaultIamRole:
value: <mailto:xxx@projectid.iam.gserviceaccount.com|xxx@projectid.iam.gserviceaccount.com>
instead of gsa
?elegant-toddler-67101
06/07/2023, 8:21 AMelegant-toddler-67101
06/08/2023, 2:35 PMpyflyte/flytectl
it uses flyteadmin in order to get the gcs bucket. The error I got is: details: failed to create a signed url. Error: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).
I use workload identity (Flyte is running on GKE) and the access to the bucket is using a signed url. but this does not work with workload identity!
So I created a key.json to the IAM serviceaccount and added an env var called GCLOUD_OAUTH_CREDS
which contains the path to the key.json file. Then, pyflyte/flytectl
work perfectly!average-finland-92144
06/08/2023, 2:37 PM