One a closer inspection I saw that the service acc...
# flyte-deploymentg
gifted-advantage-40886
06/27/2024, 10:23 PMOne a closer inspection I saw that the service account was missing some configuration:
Copy code
❯ kubectl describe sa default -n flytesnacks-development
Name: default
Namespace: flytesnacks-development
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>gifted-advantage-40886
06/27/2024, 10:25 PM Copy code
kubectl -n flyte edit cm flyte-backend-flyte-binary-configgifted-advantage-40886
06/27/2024, 10:25 PMI had to do this ^ and then add a FLYTE_AWS_ACCESS_KEY_ID and FLYTE_AWS_SECRET_ACCESS_KEY
a
average-finland-92144
06/27/2024, 10:27 PMyou should only need to annotate the SA with
Copy code
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: "arn:aws:iam::<aws-account-id>:role/flyte-system-role"average-finland-92144
06/27/2024, 10:27 PMthis is automated from the Helm chart
https://github.com/davidmirror-ops/flyte-the-hard-way/blob/main/docs/aws/05-deploy-with-helm.md
g
gifted-advantage-40886
06/27/2024, 10:28 PM Copy code
002_serviceaccount.yaml: |
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: '{{ namespace }}'
annotations:
<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: '{{ defaultIamRole }}'gifted-advantage-40886
06/27/2024, 10:28 PMI have this in my help chart
a
average-finland-92144
06/27/2024, 10:28 PMsorry, that one yes
g
gifted-advantage-40886
06/27/2024, 10:28 PMbut still doesn't work
gifted-advantage-40886
06/27/2024, 10:28 PM🙂
gifted-advantage-40886
06/27/2024, 10:29 PMI've tried even hardcoding the role and not using the template
gifted-advantage-40886
06/27/2024, 10:29 PMand adding a label
gifted-advantage-40886
06/27/2024, 10:29 PM Copy code
labels:
hello: worldgifted-advantage-40886
06/27/2024, 10:29 PMand then redeployed helm
gifted-advantage-40886
06/27/2024, 10:30 PMI even tried deleting the NS for
flytesnacks-developmenta
average-finland-92144
06/27/2024, 10:30 PMdo you have the `cluster_resources`section configured?
g
gifted-advantage-40886
06/27/2024, 10:30 PMyes I do
gifted-advantage-40886
06/27/2024, 10:30 PMI followed the tutorial as close as possible
gifted-advantage-40886
06/27/2024, 10:31 PM Copy code
cluster_resources:
customData:
- production:
- defaultIamRole:
value: YYY
[same for staging and development]a
average-finland-92144
06/27/2024, 10:31 PMany relevant log from the Flyte pod?
average-finland-92144
06/27/2024, 10:36 PMotherwise, I'll try to repro this problem and see what's happening. You shouldn't need to use account keys nor manually annotate the KSA
g
gifted-advantage-40886
06/27/2024, 10:37 PMawesome, thank you
gifted-advantage-40886
06/27/2024, 10:37 PMjust redeployed with extra logging
gifted-advantage-40886
06/27/2024, 10:38 PM Copy code
ERROR 2024/06/27 22:36:18 Could not cast sv to map[string]interface{}; key=%!s(MISSING), st=%!v(MISSING), tt=%!v(MISSING), sv=%!v(MISSING), tv=%!v(MISSING) default-for-task-types=[]interface {} map[string]interface {}=[map[container:container] map[container_array:K8S-ARRAY]] map[container:container container_array:k8s-array sidecar:sidecar]=<nil>gifted-advantage-40886
06/27/2024, 10:38 PMthis seems unrelated
gifted-advantage-40886
06/27/2024, 10:40 PM Copy code
{"json":{"src":"controller.go:477"},"level":"debug","msg":"successfully read template config file [002_serviceaccount.yaml]","ts":"2024-06-27T22:37:19Z"}
{"json":{"src":"controller.go:329"},"level":"debug","msg":"Attempting to create resource [ServiceAccount] in cluster [] for namespace [flytesnacks-development]","ts":"2024-06-27T22:37:19Z"}
{"json":{"src":"controller.go:396"},"level":"warning","msg":"Failed to create kubernetes object from config template [002_serviceaccount.yaml] for namespace [flytesnacks-development] with err: serviceaccounts is forbidden: User \"system:serviceaccount:flyte:flyte-backend-flyte-binary\" cannot create resource \"serviceaccounts\" in API group \"\" in the namespace \"flytesnacks-development\"","ts":"2024-06-27T22:37:19Z"}
{"json":{"src":"controller.go:602"},"level":"warning","msg":"Failed to create cluster resources for namespace [flytesnacks-development] with err: Failed to create kubernetes object from config template [002_serviceaccount.yaml] for namespace [flytesnacks-development] with err: serviceaccounts is forbidden: User \"system:serviceaccount:flyte:flyte-backend-flyte-binary\" cannot create resource \"serviceaccounts\" in API group \"\" in the namespace \"flytesnacks-development\"","ts":"2024-06-27T22:37:19Z"}
{"json":{"src":"controller.go:611"},"level":"info","msg":"Completed cluster resource creation loop for namespace [flytesnacks-development] with stats: [{Created:0 Updated:0 AlreadyThere:1 Errored:1}]","ts":"2024-06-27T22:37:19Z"}a
average-finland-92144
06/27/2024, 10:40 PMOh there's a problem with the clusterrole
g
gifted-advantage-40886
06/27/2024, 10:42 PMthe tutorial didn't say anything about creating one or something around those lines
a
average-finland-92144
06/27/2024, 10:43 PMYeah, maybe that's missing, but has worked for many others so I'll have to check where's the problem
g
gifted-advantage-40886
06/27/2024, 10:48 PMmuch appreciated
gifted-advantage-40886
06/27/2024, 10:52 PMis the helm chart expected to deal with the cluster role stuff
a
average-finland-92144
06/27/2024, 10:53 PMYes
g
gifted-advantage-40886
06/27/2024, 10:54 PM Copy code
❯ kubectl describe clusterrole flyte-backend-flyte-binary-cluster-role
Name: flyte-backend-flyte-binary-cluster-role
Labels: <http://app.kubernetes.io/instance=flyte-backend|app.kubernetes.io/instance=flyte-backend>
<http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
<http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
<http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
<http://helm.sh/chart=flyte-binary-v1.12.0|helm.sh/chart=flyte-binary-v1.12.0>
Annotations: <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-backend
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
<http://flyteworkflows.flyte.lyft.com|flyteworkflows.flyte.lyft.com> [] [] [create delete deletecollection get list patch post update watch]
pods [] [] [create delete get list patch update watch]
events [] [] [create delete patch update]
namespaces [] [] [create get list patch update]
resourcequotas [] [] [create get list patch update]
secrets [] [] [create get list patch update]
<http://mutatingwebhookconfigurations.admissionregistration.k8s.io|mutatingwebhookconfigurations.admissionregistration.k8s.io> [] [] [create get list patch update]
<http://customresourcedefinitions.apiextensions.k8s.io|customresourcedefinitions.apiextensions.k8s.io> [] [] [create get list]
podtemplates [] [] [get list watch]gifted-advantage-40886
06/27/2024, 11:09 PM Copy code
kubectl edit clusterrole flyte-backend-flyte-binary-cluster-rolegifted-advantage-40886
06/27/2024, 11:09 PMand added:
gifted-advantage-40886
06/27/2024, 11:10 PM Copy code
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- list
- patch
- updategifted-advantage-40886
06/27/2024, 11:10 PMfixed the problem
gifted-advantage-40886
06/27/2024, 11:11 PMI had to do a final:
Copy code
kubectl rollout restart deployment flyte-backend-flyte-binary -n flytea
average-finland-92144
06/27/2024, 11:34 PMThanks!
Mind fixing the tutorial?
g
gifted-advantage-40886
06/28/2024, 3:51 AMsure thing
a
average-finland-92144
06/28/2024, 5:31 PMIt looks like it's missing on the base chart:
https://github.com/flyteorg/flyte/blob/4643e2a15de33a052b71a0d66ea46171c6887076/charts/flyte-binary/templates/clusterrole.yaml#L21
49 Views