Hello again I m trying to apply `defaultIamRole` and ideally Flyte #ask-the-community

Hello again, I'm trying to apply `defaultIamRole`...

Ed Fincham

02/16/2023, 1:26 PM

Hello again, I'm trying to apply

defaultIamRole

(and ideally `projectQuotaCpu`/`projectQuotaMemory` , if that's still possible) to the pods that run in dev/stag/prod namespaces across all projects. To do this, I'm using the

configuration.inline.cluster_resources

entry (see prod values). When I deploy the chart with these values, I can see that these exist under

010-inline-config.yaml

in the flyte-backend-flyte-binary-config configmap, but I don't think these values are picked up by the namespaces. For instance, I would expect the default sa in each namespace (dev/stag/prod) to have a

role-arn

annotation, but it doesn't. Have I missed something very obvious?

Ed Fincham

02/16/2023, 1:33 PM

I noticed that this was alluded to in this thread: https://flyte-org.slack.com/archives/CP2HDHKE1/p1676484417240059 @Yee you mentioned that you can add this info back to the inline section, but under the admin namespace? Can you explain what you mean by the admin namespace, as I'm a bit confused by that 🙂

Yee

02/16/2023, 7:37 PM

the bit that you referred to is for the cluster resource controller. those are the values. and they can differ by domain as you can see there.

Yee

02/16/2023, 7:38 PM

the cluster resource controller then reads those values, and applies them where you tell them to. but it won’t apply it to the default service account if you don’t tell it to

Yee

02/16/2023, 7:52 PM

our default values are a bit incomplete. we need to update them.

Yee

02/16/2023, 7:53 PM

basically that example only configures the

spark

service account.

Yee

02/16/2023, 7:53 PM

just copy paste that and change the name to

default

so that it also configures the default service account

Ed Fincham

02/16/2023, 8:00 PM

Fantastic - thank you! By copy/paste and update, are you referring to the cluster resource template section: https://github.com/flyteorg/flyte/blob/d60c9af85a59ebb4c2265f76cb082b992078a309/charts/flyte-binary/eks-production.yaml#L79-L122

Yee

02/16/2023, 10:08 PM

yeah

Yee

02/16/2023, 10:08 PM

oh no

Yee

02/16/2023, 10:08 PM

not that whole thing, just the service account

Yee

02/16/2023, 10:08 PM

just add this

Yee

02/16/2023, 10:08 PM

Copy code

042_def_service_account.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: default
        namespace: '{{ namespace }}'
        annotations:
          <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: '{{ defaultIamRole }}'

Ed Fincham

02/16/2023, 10:15 PM

Perfect - thank you!

Ed Fincham

02/17/2023, 11:35 AM

Hi @Yee, Still having some issues here. I have the following in my values.yaml:

Copy code

configuration:
  ...
  inline:
    cluster_resources:
      customData:
      - production:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"
      - staging:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"
      - development:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"

clusterResourceTemplates:
  inline:
    001_namespace.yaml: |
      apiVersion: v1
      kind: Namespace
      metadata:
        name: "{{ namespace }}"
    042_def_service_account.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: default
        namespace: '{{ namespace }}'
        annotations:
          <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: '{{ defaultIamRole }}'

I found that I needed to add

001_namespace.yaml

or else the project specific namespaces were not created. However, the default sa in each namespace does not have that role-arn annotation. I can see that the

flyte-backend-flyte-binary-cluster-resource-templates

config map does correctly contain the inline cluster resource templates. I can also see that the the

cluster_resources

are contained in a file at

/etc/flyte/config.d/010-inline-config.yaml

on the main flyte pod. So it seems like everything is in place, but the annotation is not added to the default sa? Moreoever, it's not clear that the

042_def_service_account.yaml

does anything. If I edit the name and update the helm chart, there is no such service account created in any namespace. I'm all out of ideas at this point 🙂

Ed Fincham

02/20/2023, 8:06 AM

Hey @Yee - if you have any thoughts on the above I would really appreciate the help 🙂

Ed Fincham

02/20/2023, 2:03 PM

Managed to fix it. For future reference, the issue was that in the default values.yaml, the flyte controller does not have the required permissions to edit service accounts. Copying the following from the production-values.yaml gave the required rbac:

Copy code

rbac:
  extraRules:
    - apiGroups:
      - ""
      resources:
      - serviceaccounts
      verbs:
      - create
      - get
      - list
      - patch
      - update
    - apiGroups:
      - <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
      resources:
      - rolebindings
      - roles
      verbs:
      - create
      - get
      - list
      - patch
      - update

Simple fix in the end but took some time to figure out 🙂

Yee

02/20/2023, 3:44 PM

oohh sorry

Yee

02/20/2023, 3:44 PM

thank you for digging through this

Yee

02/20/2023, 3:44 PM

we will update

Yee

02/20/2023, 4:10 PM

@Peeter Piegaze could we get this added to the docs somewhere?

Peeter Piegaze

02/20/2023, 5:58 PM

@Yee Docs issue opened: https://github.com/flyteorg/flyte/issues/3356

153 Views

Open in Slack

Previous Next