Hey! I have a question regarding how the role perm...
# flyte-deployment
j
Hey! I have a question regarding how the role permission setup is supposed to work on the multi cluster setup. What i would like to run is basically one control-plane with multiple data-planes in different AWS Accounts. Every data-plane should have a dedicated
flyte-user-roles
for accessing stuff in their account. What is currently happening when following the official documentation is that after exchanging secret, token and adjusting the cluster config on the control plane, the data-plane retrieves all the namespaces, quotas and Service Accounts from the control plane (which are created by the
cluster_resource_manager
i guess). This leaves me with default Service Accounts in the data-plane for all the projects/domains where the
flyte-user-role
of the control plane is annotated. Obviously i want the
flyte-user-roles
of the data-planes in there, which are completely unused so far in my setup. One way would be to just replace the default Service Account annotation with the correct flyte-user-role in the project/domains i need them. Is there a better or correct way of doing this?
s
@Yee @Ketan (kumare3), can one of you please help Jan?
j
I went with overwriting the default service account in the data-plane for now:
kubectl annotate serviceaccount -n $FLYTE_PROJECT_NAME-$domain default <http://eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT_ID:role/$FLYTE_USER_ROLE|eks.amazonaws.com/role-arn=arn:aws:iam::$ACCOUNT_ID:role/$FLYTE_USER_ROLE> --overwrite
Still happy to hear, if there is correct way of doing this 🙂
124 Views