https://flyte.org logo
Powered by
#flyte-deployment
Title
# flyte-deployment
b

Broder Peters

09/07/2023, 11:54 AM
Hello 🙂 I'm a bit confused right now with the permission set of the flyteadmin. To my understanding the communication of the control plane to the data plane over the flyteadmin user consists of creating workflow CRDs and getting updates on their status. I wonder then a bit why its assigned ClusterRole grants pretty broad permissions by default resulting in the following rules on the data plane:
Copy code
rules:
- apiGroups:
  - ""
  - <http://flyte.lyft.com|flyte.lyft.com>
  - <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  resources:
  - configmaps
  - flyteworkflows
  - namespaces
  - pods
  - resourcequotas
  - roles
  - rolebindings
  - secrets
  - services
  - serviceaccounts
  - spark-role
  verbs:
  - '*'
I get that I can overwrite those and restrict it more, but when does need the flyteadmin need more of those permissions besides the 
flyteworkflows
one?
y

Yee

09/07/2023, 8:57 PM
this is because of the cluster resource controller.
if you turn that off you can remove most of these permissions
this bit in admin is code that will for example, create namespaces for a project when you create a new flyte project
and make sure that the namespace has the right service accounts or whatever
basically it’s applying these templates
maybe it was a templating thing…
this was our old template… but there’s an extra layer here cuz we used to have yet another templating engine on top of helm
Copy code
subject: |
                Flyte: {{{{ "{{{{" }}}} project {{{{ "}}}}" }}}}/{{{{ "{{{{" }}}} domain {{{{ "}}}}" }}}}/{{{{ "{{{{" }}}} launch_plan.name {{{{ "}}}}" }}}}: {{{{ "{{{{" }}}} phase {{{{ "}}}}" }}}}
              sender: "flyte@{parent.domain}"
              body: |
                Execution {{{{ "{{{{" }}}} workflow.project {{{{ "}}}}" }}}}/{{{{ "{{{{" }}}} workflow.domain {{{{ "}}}}" }}}}/{{{{ "{{{{" }}}} workflow.name {{{{ "}}}}" }}}}/{{{{ "{{{{" }}}} name {{{{ "}}}}" }}}} in phase {{{{ "{{{{" }}}} phase {{{{ "}}}}" }}}}.
                Details: <https://mydomain.com/console/projects/{{{{> "{{{{" }}}} project {{{{ "}}}}" }}}}/domains/{{{{ "{{{{" }}}} domain {{{{ "}}}}" }}}}/executions/{{{{ "{{{{" }}}} name {{{{ "}}}}" }}}}.
                {{{{ "{{{{" }}}} error {{{{ "}}}}" }}}}
b

Broder Peters

09/08/2023, 1:09 PM
Thanks for the real helpful and insightful input! Will play a bit around with it
Powered by