I created a serviceAccount resource named my-app-cluster-access. Then supply that resource name in the service_account_name argument in the KubernetesPodOperator. But I keep getting the error
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:my-release-name:default\" cannot create resource \"pods\" in API group \"\" in the namespace \"default\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}The message seem to indicate that the supplied value of the service_account_name is not being applied since the message still has the default text. I check the KubernetesPodOperator source code and look likes the mapping is there.
Before I created ServiceAccount resource, I also got that same error message. Do I need to create a ServiceAccount resource to use that operator? I need to be able to use KubernetesPodOperator and so far is not working after adding the ServiceAccount. I already set the in_cluster arg to True.
By default every namespace has a service account default The default service account does not have permission to create pods.
In your case a default service account from namespace my-release-name is trying to create a pod in default namespace.
You can check if a service account named default from namespace my-release-name has permission to create pods in default namespace.
kubectl auth can-i create pods -n default--as=system:serviceaccount:my-release-name:defaultThis will return no.
So you can create a role like below
kubectl create clusterrole pod-creator --verb=create,get,list,watch --resource=podsand a clusterrolebinding
kubectl create clusterrolebinding pod-creator-clusterrolebinding --clusterrole=pod-creator --serviceaccount=my-release-name:defaultAbove should work without a need to create a new service account.