Skip to content

Fix pipeline default service account#969

Merged
k8s-ci-robot merged 2 commits into
kubeflow:masterfrom
Bobgy:kfp_fix_pipeline_sa
Mar 3, 2020
Merged

Fix pipeline default service account#969
k8s-ci-robot merged 2 commits into
kubeflow:masterfrom
Bobgy:kfp_fix_pipeline_sa

Conversation

@Bobgy

@Bobgy Bobgy commented Mar 2, 2020
edited by jlewi
Loading

Copy link
Copy Markdown
Contributor

Which issue is resolved by this Pull Request:
Resolves kubeflow/kubeflow#4803

Description of your changes:

  1. Use kf-user as pipeline default sa.
  2. Bind pipeline-runner clusterrole to kf-user to avoid breaking existing usages.

Checklist:

  • Unit tests have been rebuilt:
    1. cd manifests/tests
    2. make generate-changed-only
    3. make test

This change is Reviewable

@k8s-ci-robot k8s-ci-robot requested review from Jeffwan and jlewi March 2, 2020 04:03
@Bobgy

Bobgy commented Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

/assign @jlewi

@Bobgy

Bobgy commented Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

/retest
The error doesn't seem related

@Bobgy

Bobgy commented Mar 2, 2020
edited
Loading

Copy link
Copy Markdown
Contributor Author

Strange, I got error:

util.py                     72 INFO     failed to apply:  (kubeflow.error): Code 500 with message: kfApp Apply failed for kustomize:  (kubeflow.error): Code 500 w
ith message: Apply.Run  Error error when creating "/tmp/kout809907334": ClusterRoleBinding.rbac.authorization.k8s.io "pipeline-runner" is invalid: subjects[1].nam
espace: Required value

I guess when referring to a service account not defined in the same kustomize package, it must have a namespace.

@Bobgy

Bobgy commented Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

I'm not sure this is the right fix, because it seems https://github.com/kubeflow/kfctl/search?q=kf-user&unscoped_q=kf-user kf-user sa only exists in gcp and aws clusters.

I think we'd need a solution to let each application flexibly define what service account needs what binding in their yamls. KCC can support that for GCP, we'd need something similar.

@Bobgy

Bobgy commented Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

The error message seems irrelevant, will retry again.
/retest

Bobgy
Bobgy commented Mar 2, 2020
View reviewed changes
Comment thread pipeline/pipelines-runner/base/cluster-role-binding.yaml
# temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default
- kind: ServiceAccount
name: kf-user
namespace: kubeflow

@Bobgy Bobgy Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jlewi Should I use var replace here?

@Bobgy

Bobgy commented Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

The failed step cannot pull image: gcr.io/kubeflow-ci/test-worker-py3:789005d.
I checked on gcr.io, the image doesn't exist, seems like we are pinning to an invalid image.

@IronPan

IronPan commented Mar 2, 2020

Copy link
Copy Markdown
Member

/lgtm

@gabrielwen

gabrielwen commented Mar 2, 2020

Copy link
Copy Markdown
Contributor

/retest

@gabrielwen

gabrielwen commented Mar 2, 2020

Copy link
Copy Markdown
Contributor

@Bobgy the test is fixed :)

@jlewi

jlewi commented Mar 3, 2020

Copy link
Copy Markdown
Contributor

/approve

@k8s-ci-robot

k8s-ci-robot commented Mar 3, 2020

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jlewi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit ad38b41 into kubeflow:master Mar 3, 2020
@Bobgy Bobgy deleted the kfp_fix_pipeline_sa branch March 3, 2020 00:18
@Bobgy

Bobgy commented Mar 3, 2020

Copy link
Copy Markdown
Contributor Author

Thanks! @jlewi @gabrielwen

@Bobgy Bobgy mentioned this pull request Mar 11, 2020
Merged
1 task
Bobgy added a commit to Bobgy/manifests that referenced this pull request Mar 31, 2020
@Bobgy
Fix pipeline default service account for GCP (kubeflow#969 and kubefl…
9fdfc76 
…ow#997)
k8s-ci-robot pushed a commit that referenced this pull request Apr 7, 2020
@Bobgy
Fix pipeline default service account for GCP (#969 and #997) (#1064)
ecf8e1e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jeffwan Jeffwan Awaiting requested review from Jeffwan

@jlewi jlewi Awaiting requested review from jlewi

Assignees

@jlewi jlewi

@IronPan IronPan

Labels

approved cla: yes lgtm size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

KFP builtin samples fail in KF1.0

6 participants

@Bobgy @IronPan @gabrielwen @jlewi @k8s-ci-robot @googlebot