https://flyte.org logo
Join Slack
Powered by
Hello team! I am running into the following error:...
# ask-the-community
g
Hello team! I am running into the following error:
Copy code
{
  "json": {
    "src": "start.go:226"
  },
  "level": "panic",
  "msg": "Failed to start Propeller, err: failed to create FlyteWorkflow CRD: <http://customresourcedefinitions.apiextensions.k8s.io|customresourcedefinitions.apiextensions.k8s.io> is forbidden: User \"system:serviceaccount:flyte:flyte-binary\" cannot create resource \"customresourcedefinitions\" in API group \"<http://apiextensions.k8s.io|apiextensions.k8s.io>\" at the cluster scope",
  "ts": "2024-05-08T10:14:10Z"
}
In my values.yaml file, 
serviceAccount.create
is set to 
true
I have installed Flyte using https://artifacthub.io/packages/helm/flyte/flyte-binary/1.11.0 I will really appreciate any help.
c
g
Thanks. I tried adding 
extraRules
, which was earlier empty to the following but I still get the same error.
Copy code
rbac:
  # create Create ClusterRole and ClusterRoleBinding resources
  create: true
  # labels Add labels to RBAC resources
  labels: {}
  # annotations Add annotations to RBAC resources
  annotations: {}
  # extraRules Add additional rules to the ClusterRole
  extraRules:
    - apiGroups:
      - ""
      resources:
      - serviceaccounts
      verbs:
      - create
      - get
      - patch
I also upgraded to 
1.12.0
but no change
c
Ah. I see that it is a different error adn this rule wouldn't hav mattered 🤔 Misread, my bad
d
@Garbageyard so the flyte-binary KSA seems to have issues creating the CRD, which is strange because the ClusterRole has this permission https://github.com/flyteorg/flyte/blob/cb57beb00631836cad4f2a45f68ada2be51aaa45/charts/flyte-binary/templates/clusterrole.yaml#L63-L68 Can you describe the ClusterRole and confirm it has those permissions?
g
Hi @David Espejo (he/him): I can see those permissions
Copy code
$ k get clusterrole | grep -i flyte
flyte-binary-cluster-role                            2024-05-08T12:03:04Z
$ k get clusterrole flyte-binary-cluster-role -o yaml | grep -B1 -A13
...
rules:
- apiGroups:
  - ""
--
- apiGroups:
  - <http://flyte.lyft.com|flyte.lyft.com>
  resources:
  - flyteworkflows
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - post
  - update
  - watch
- apiGroups:
I was able to resolve it. The problem was in my kustomization file. I missed specifying 
clusterrolebinding
😞 Thanks for the help @David Espejo (he/him). Your suggestion made me look in the right direction.
5 Views
Open in Slack
PreviousNext
Powered by