K
Q

passing --serviceaccount in airflow kubernetes pod operator

4/6/2021

I am trying to create and run a pod using Airflow kubernetes pod operator. The command below is tried and confirmed to be working and I am trying to replicate the same using the kubernetes pod operator locally

kubectl run sparkairflow -n test-namespace --image=some-docker-repo.com:hello-world --serviceaccount=airflow --restart=Never -- spark-submit --deploy-mode cluster --master k8s://kubernetes.default.cluster.local:123 \
                 --name sparkairflow \
                 --conf spark.kubernetes.namespace=test-namespace \
                 --conf spark.kubernetes.container.image=some-docker-repo.com:hello-world \
                 --conf spark.kubernetes.authenticate.driver.serviceAccountName=airflow \
...

Running into a wall here because there does not seem to be a way pass the --serviceaccount flag using airflow and that is required for my implementation and that throws the error on my side.

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: pods "sparkairflow-155252344-driver" is forbidden: User "system:serviceaccount:test-namespace:default" cannot watch resource "pods" in API group "" in the namespace "test-namespace": access denied

The solutions I found up until now mostly focus on adding the default user to the namespace role but that is not possible for my case.

Any way to pass in the serviceaccount flag to airflow kubernetes operator?

Thanks!

-- idk
airflow
kubernetes
kubernetespodoperator

Similar Questions

Sole Tiller to deploy multiple namespace on Kubernetes
Two separate hazelcast clusters in kubernetes
kubernetes 404 not found when i try to access to an url
coredns container stuck in containercreating state when trying to create a cluster
Unable to create deployments/configmaps from kubectl client with Namespace Admin access in K8s

2 Answers

4/13/2021

The KubernetesPodOperator contains a parameter service_account_name with which which you can specify the K8s service account. It is available for both Airflow v2 and v1.10, the latter is just not documented.

Example call (mostly taken from https://airflow.apache.org/docs/apache-airflow-providers-cncf-kubernetes/stable/operators.html):

quay_k8s = KubernetesPodOperator(
    namespace='default',
    image='quay.io/apache/bash',
    service_account_name="my_k8s_svc_acct",
    cmds=["bash", "-cx"],
    name="airflow-private-image-pod",
    task_id="task-two",
)
-- tsabsch
Source: StackOverflow
4/7/2021

As it turns out, the pod object in airflow code does have the service_account_name field, it is just not set by the KubernetesPodOperator. I had to extend KubernetesPodOperator and override the execute method by copying all of it. Added a single line where I set the service_account_name for the pod object.

Not the cleanest solution but it worked!

-- idk
Source: StackOverflow