-1

I'm trying to deploy a GKE Workload (yaml file) via Cloud Composer 2. I can do it easily via console, but from Cloud Composer I'm facing authorization issues, which led me to think if this is the best method. The general idea for this pipeline is as follows

1 - Create GKE cluster

2 - Start POD (with composer operator).

3 - kubectl -f app.yaml

4 - execute scraping script (selenium grid)

5 - delete GKE cluster

All of the steps above have been tested on it's one without and issue, only when trying from Cloud Composer I'm facing authorization issues on step 3.

deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot create resource "deployments" in API group "apps" in the namespace "default"
services is forbidden: User "system:serviceaccount:default:default" cannot create resource "services" in API group "" in the namespace "default"
deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot create resource "deployments" in API group "apps" in the namespace "default"

Any help/clarification would be appreciated

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
pmoreira
  • 113
  • 1
  • 9

2 Answers2

0

That's weird you can give the default user permission of Admin once and try

kubectl create clusterrolebinding default-admin \
    --clusterrole cluster-admin \
    --serviceaccount=default:default \
    --namespace default
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
0

Composer 2 now provides a dedicated namespace composer-user-workloads where these task pods/workloads should be run. The default service account for this namespace already has the correct binding (Workload Identity) set up with the Composer SA, so no additional steps need to be performed by the user.

In our case, however, we had to additionally specify the config_file parameter and set it to /home/airflow/composer_kube_config to get past the permissions error we experienced (even though the Google documentation says this is not a mandatory parameter).

reference: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/main/composer/workflows/kubernetes_pod_operator_c2.py#L66

mkumar118
  • 442
  • 5
  • 12