<@UPBBNMXD1> there were some changes to the auth i...
# announcementsa
Alex Bain
04/28/2022, 12:48 AM@katrina there were some changes to the auth in Flyte Admin a couple weeks ago that are now in
v1.0.0kubernetes_service_accountdefaultAlex Bain
04/28/2022, 1:16 AMIf I describe executions, I'm getting the correct thing for some of my (newer) workflows, e.g.
Copy code
flytectl get execution --admin.endpoint avflyteadmin.pdx.l5.woven-planet.tech:443 -p avexampleworkflows -d dev atbnkl5564m49swgmqxk --output yaml
...
securityContext:
runAs:
k8sServiceAccount: avexampleworkflowsAlex Bain
04/28/2022, 1:17 AMBut describing the execution for some of my older workflows ends up with:
Copy code
securityContext:
runAs:
k8sServiceAccount: defaultAlex Bain
04/28/2022, 1:18 AMThe launch plan version for this exact execution above ^^^^ has:
Copy code
spec:
annotations: {}
authRole:
kubernetesServiceAccount: avexampleworkflowsdefaultAlex Bain
04/28/2022, 1:20 AMClearly https://github.com/flyteorg/flyteadmin/pull/407 must have broken it (or https://github.com/flyteorg/flyteadmin/pull/401 or https://github.com/flyteorg/flyteadmin/pull/400)
Alex Bain
04/28/2022, 1:24 AMThese two workflows - one with the correct k8sServiceAccount and one with "default" are in the same Flyte project and domain.
Alex Bain
04/28/2022, 2:36 AMI think
flytekit==0.23.0b1defaultflytekitflytekitAlex Bain
04/28/2022, 4:47 AMIt turned out not to be a
flytekitflyte-cli register-files--output-location-prefix----kubernetes-service-account👍 1
p
Prafulla Mahindrakar
04/28/2022, 5:17 AMHi @Alex Bain this was decision we made here https://github.com/flyteorg/flyteadmin/pull/378#discussion_r834785632
We have a proposal to go back to fallbacks https://github.com/flyteorg/flyteadmin/pull/412
In my view having fallbacks can be confusing for the user since we have multiple level of overrides but i will let you guyz take a consensus call on this.
But until then i agree you would have to pass this in as parameter for execution create request or if you feel this is common across project-domain then you can use the matchable attribute for workflow execution config which we introduced now to make it easier
https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl_update_workflow-execution-config.html
You can override this for a workflow aswell.
so you can have
• project-domain
wf config : sa : sa1
This will use sa1 if execution or lpSpec doesn’t have any workflow execution config (Meaning of no workflow exeuction config is right now based on non emptiness of the fields)
• project -domain -workflowname
wf config : sa : s2
This will use sa2 if execution or lpSpec doesn’t have any workflow execution config
k
katrina
04/28/2022, 4:09 PM
hey can I ask why you're using a beta flytekit release in production? i'd recommend upgrading 👍 also can you elaborate on
now --output-location-prefix is required in order for ----kubernetes-service-account to actually take effect.a
Alex Bain
04/28/2022, 5:24 PM@katrina with Flyte release v1.0.0 on EKS and any version of flytekit when I
flyte-cli register-files --kubernetes-service-account <accountName>Alex Bain
04/28/2022, 5:26 PMI had Flyte v0.19.3 backend components before and passing
--kubernetes-service-account <accountName>Alex Bain
04/28/2022, 5:28 PMWe're fine now, but it took me all day to discover and diagnose this behavior. Just letting you know, since this will assuredly cause someone else problems.
k
katrina
05/03/2022, 4:38 PM
hey @Alex Bain sorry for the late reply (been out for conference stuff) but thank you for raising this! i had a proposal that fixes this and this is valuable feedback to revisit that. thanks as always for your patience and detailed feedback
katrina
05/17/2022, 9:13 PM
hey @Alex Bain this is is very belated, but I wanted to let you know the proposal got merged and is part of the 1.0.1 release (which should also include the fix for subworkflows service accounts not being propagated) in case you'd like to upgrade 🙂
169 Views