https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
c

Cornelis Boon

03/08/2024, 10:23 PM
Really close to getting my first deployment up. On startup I'm currently getting:
Copy code
"Container [<bucket-name>] lookup failed. Error googleapi: Error 403: Caller does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist)., forbidden"
I gave the service account that's the default SA all the necessary permissions though. Feel that once this is resolved, I've got something going 🙂
Ah forgot to bind/annotate the GSA/KSA
d

David Espejo (he/him)

03/11/2024, 6:48 PM
Thanks for sharing and contributing!
c

Cornelis Boon

03/11/2024, 11:17 PM
Hey @David Espejo (he/him) I've got another issue relating to worker KSAs not being annotated on GCP. Getting an error that the main flyte-binary KSA does not have the permission to create/edit the worker KSAs (in e.g. flytesnacks-production/development/staging namespaces). I've already tried a few things by adding extra rules to the
values.yaml
file, but each time I add a rule some other error pops up (e.g. this is after adding
Copy code
rbac:
  # create Create ClusterRole and ClusterRoleBinding resources
  create: true
  # extraRules Add additional rules to the ClusterRole
  extraRules: 
   - apiGroups:
      - ""
     resources:
      - serviceaccounts
     verbs:
      - create
      - get
to the values.yaml file
Copy code
"Failed cluster resource creation loop with: serviceaccounts "default" is forbidden: User "system:serviceaccount:flyte:flyte-backend-flyte-binary" cannot patch resource "serviceaccounts" in API group "" in the namespace "flytesnacks-staging", serviceaccounts "default" is forbidden: User "system:serviceaccount:flyte:flyte-backend-flyte-binary" cannot patch resource "serviceaccounts" in API group "" in the namespace "flytesnacks-production""
after adding the
patch
verb, it seems to have worked