2

I am trying to create and run a pod using Airflow kubernetes pod operator. The command below is tried and confirmed to be working and I am trying to replicate the same using the kubernetes pod operator locally

kubectl run sparkairflow -n test-namespace --image=some-docker-repo.com:hello-world --serviceaccount=airflow --restart=Never -- spark-submit --deploy-mode cluster --master k8s://kubernetes.default.cluster.local:123 \
                 --name sparkairflow \
                 --conf spark.kubernetes.namespace=test-namespace \
                 --conf spark.kubernetes.container.image=some-docker-repo.com:hello-world \
                 --conf spark.kubernetes.authenticate.driver.serviceAccountName=airflow \
...

Running into a wall here because there does not seem to be a way pass the --serviceaccount flag using airflow and that is required for my implementation and that throws the error on my side.

Exception in thread "main" io.fabric8.kubernetes.client.KubernetesClientException: pods "sparkairflow-155252344-driver" is forbidden: User "system:serviceaccount:test-namespace:default" cannot watch resource "pods" in API group "" in the namespace "test-namespace": access denied

The solutions I found up until now mostly focus on adding the default user to the namespace role but that is not possible for my case.

Any way to pass in the serviceaccount flag to airflow kubernetes operator?

Thanks!

idk
  • 31
  • 1
  • 5
  • try: `--deploy-mode: client` and `--conf spark.kubernetes.authenticate.serviceAccountName=airflow` and let mw know if this works – Matt Apr 07 '21 at 07:56
  • I tried this but serviceaccount in kubernetes defaults to 'default', posted the solution for what I ended up doing. Thanks for your help! – idk Apr 07 '21 at 15:09

2 Answers2

4

The KubernetesPodOperator contains a parameter service_account_name with which which you can specify the K8s service account. It is available for both Airflow v2 and v1.10, the latter is just not documented.

Example call (mostly taken from https://airflow.apache.org/docs/apache-airflow-providers-cncf-kubernetes/stable/operators.html):

quay_k8s = KubernetesPodOperator(
    namespace='default',
    image='quay.io/apache/bash',
    service_account_name="my_k8s_svc_acct",
    cmds=["bash", "-cx"],
    name="airflow-private-image-pod",
    task_id="task-two",
)
tsabsch
  • 2,131
  • 1
  • 20
  • 28
  • hi, we were previously using kiam roles and set the Iam role using annotation. but now we have moved to eks and have service accounts, I'm unable to set pod/dag level service-account with this. I have set the property but in the service I get access denied as the services takes over a strange unknown dev{somenumbers} role. Do you have any idea realtead to this? – gamer Jun 30 '21 at 08:26
  • by property i mean the service_aacount_name parameter in the KubernetesPodOperator. and by service, I meant the service in the DockerImage deployed in the pod. – gamer Jun 30 '21 at 09:43
  • Unfortunately I'm not familiar with EKS. I'd suggest to create your own Stackoverflow question. – tsabsch Jul 01 '21 at 09:06
1

As it turns out, the pod object in airflow code does have the service_account_name field, it is just not set by the KubernetesPodOperator. I had to extend KubernetesPodOperator and override the execute method by copying all of it. Added a single line where I set the service_account_name for the pod object.

Not the cleanest solution but it worked!

idk
  • 31
  • 1
  • 5
  • 1
    Good idea. I looked up the source code for the K8sPodOperator (for v1.10.15) and it turns out, it _does_ have a parameter `service_account_name` which is just not documented. You might be able to use that instead of overriding the operator. – tsabsch Apr 13 '21 at 14:08