https://flyte.org logo
#ask-the-community
Title
# ask-the-community
e

Ed Fincham

02/16/2023, 1:26 PM
Hello again, I'm trying to apply
defaultIamRole
(and ideally `projectQuotaCpu`/`projectQuotaMemory` , if that's still possible) to the pods that run in dev/stag/prod namespaces across all projects. To do this, I'm using the
configuration.inline.cluster_resources
entry (see prod values). When I deploy the chart with these values, I can see that these exist under
010-inline-config.yaml
in the flyte-backend-flyte-binary-config configmap, but I don't think these values are picked up by the namespaces. For instance, I would expect the default sa in each namespace (dev/stag/prod) to have a
role-arn
annotation, but it doesn't. Have I missed something very obvious?
I noticed that this was alluded to in this thread: https://flyte-org.slack.com/archives/CP2HDHKE1/p1676484417240059 @Yee you mentioned that you can add this info back to the inline section, but under the admin namespace? Can you explain what you mean by the admin namespace, as I'm a bit confused by that 🙂
y

Yee

02/16/2023, 7:37 PM
the bit that you referred to is for the cluster resource controller. those are the values. and they can differ by domain as you can see there.
the cluster resource controller then reads those values, and applies them where you tell them to. but it won’t apply it to the default service account if you don’t tell it to
our default values are a bit incomplete. we need to update them.
basically that example only configures the
spark
service account.
just copy paste that and change the name to
default
so that it also configures the default service account
e

Ed Fincham

02/16/2023, 8:00 PM
Fantastic - thank you! By copy/paste and update, are you referring to the cluster resource template section: https://github.com/flyteorg/flyte/blob/d60c9af85a59ebb4c2265f76cb082b992078a309/charts/flyte-binary/eks-production.yaml#L79-L122
y

Yee

02/16/2023, 10:08 PM
yeah
oh no
not that whole thing, just the service account
just add this
Copy code
042_def_service_account.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: default
        namespace: '{{ namespace }}'
        annotations:
          <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: '{{ defaultIamRole }}'
e

Ed Fincham

02/16/2023, 10:15 PM
Perfect - thank you!
Hi @Yee, Still having some issues here. I have the following in my values.yaml:
Copy code
configuration:
  ...
  inline:
    cluster_resources:
      customData:
      - production:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"
      - staging:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"
      - development:
        - defaultIamRole:
            value: "<IAM_ROLE_ARN>"

clusterResourceTemplates:
  inline:
    001_namespace.yaml: |
      apiVersion: v1
      kind: Namespace
      metadata:
        name: "{{ namespace }}"
    042_def_service_account.yaml: |
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: default
        namespace: '{{ namespace }}'
        annotations:
          <http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>: '{{ defaultIamRole }}'
I found that I needed to add
001_namespace.yaml
or else the project specific namespaces were not created. However, the default sa in each namespace does not have that role-arn annotation. I can see that the
flyte-backend-flyte-binary-cluster-resource-templates
config map does correctly contain the inline cluster resource templates. I can also see that the the
cluster_resources
are contained in a file at
/etc/flyte/config.d/010-inline-config.yaml
on the main flyte pod. So it seems like everything is in place, but the annotation is not added to the default sa? Moreoever, it's not clear that the
042_def_service_account.yaml
does anything. If I edit the name and update the helm chart, there is no such service account created in any namespace. I'm all out of ideas at this point 🙂
Hey @Yee - if you have any thoughts on the above I would really appreciate the help 🙂
Managed to fix it. For future reference, the issue was that in the default values.yaml, the flyte controller does not have the required permissions to edit service accounts. Copying the following from the production-values.yaml gave the required rbac:
Copy code
rbac:
  extraRules:
    - apiGroups:
      - ""
      resources:
      - serviceaccounts
      verbs:
      - create
      - get
      - list
      - patch
      - update
    - apiGroups:
      - <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
      resources:
      - rolebindings
      - roles
      verbs:
      - create
      - get
      - list
      - patch
      - update
Simple fix in the end but took some time to figure out 🙂
y

Yee

02/20/2023, 3:44 PM
oohh sorry
thank you for digging through this
we will update
@Peeter Piegaze could we get this added to the docs somewhere?
p

Peeter Piegaze

02/20/2023, 5:58 PM
66 Views