diff --git a/pipeline/api-service/base/config-map.yaml b/pipeline/api-service/base/config-map.yaml index 1114392fcd..93843f72ae 100644 --- a/pipeline/api-service/base/config-map.yaml +++ b/pipeline/api-service/base/config-map.yaml @@ -3,6 +3,7 @@ apiVersion: v1 data: # apiserver assumes the config is named config.json + # temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default config.json: | { "DBConfig": { @@ -16,7 +17,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } diff --git a/pipeline/api-service/overlays/external-mysql/config-map.yaml b/pipeline/api-service/overlays/external-mysql/config-map.yaml index f00c842cee..7f2af37053 100644 --- a/pipeline/api-service/overlays/external-mysql/config-map.yaml +++ b/pipeline/api-service/overlays/external-mysql/config-map.yaml @@ -19,7 +19,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } diff --git a/pipeline/pipelines-runner/base/cluster-role-binding.yaml b/pipeline/pipelines-runner/base/cluster-role-binding.yaml index 1f1c2c20a8..018092f11e 100644 --- a/pipeline/pipelines-runner/base/cluster-role-binding.yaml +++ b/pipeline/pipelines-runner/base/cluster-role-binding.yaml @@ -9,3 +9,7 @@ roleRef: subjects: - kind: ServiceAccount name: pipeline-runner +# temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default +- kind: ServiceAccount + name: kf-user + namespace: kubeflow diff --git a/tests/pipeline-api-service-base_test.go b/tests/pipeline-api-service-base_test.go index f987869997..241d836b16 100644 --- a/tests/pipeline-api-service-base_test.go +++ b/tests/pipeline-api-service-base_test.go @@ -20,6 +20,7 @@ func writeApiServiceBase(th *KustTestHarness) { apiVersion: v1 data: # apiserver assumes the config is named config.json + # temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default config.json: | { "DBConfig": { @@ -33,7 +34,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } diff --git a/tests/pipeline-api-service-overlays-application_test.go b/tests/pipeline-api-service-overlays-application_test.go index 1875535374..83024a2695 100644 --- a/tests/pipeline-api-service-overlays-application_test.go +++ b/tests/pipeline-api-service-overlays-application_test.go @@ -68,6 +68,7 @@ resources: apiVersion: v1 data: # apiserver assumes the config is named config.json + # temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default config.json: | { "DBConfig": { @@ -81,7 +82,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } diff --git a/tests/pipeline-api-service-overlays-external-mysql_test.go b/tests/pipeline-api-service-overlays-external-mysql_test.go index a941e049cd..886ca7e44b 100644 --- a/tests/pipeline-api-service-overlays-external-mysql_test.go +++ b/tests/pipeline-api-service-overlays-external-mysql_test.go @@ -36,7 +36,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } @@ -97,6 +97,7 @@ configurations: apiVersion: v1 data: # apiserver assumes the config is named config.json + # temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default config.json: | { "DBConfig": { @@ -110,7 +111,7 @@ data: "BucketName": "mlpipeline" }, "InitConnectionTimeout": "6m", - "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "DefaultPipelineRunnerServiceAccount": "kf-user", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 } diff --git a/tests/pipeline-pipelines-runner-base_test.go b/tests/pipeline-pipelines-runner-base_test.go index c9cf87a67c..ae61e4bea4 100644 --- a/tests/pipeline-pipelines-runner-base_test.go +++ b/tests/pipeline-pipelines-runner-base_test.go @@ -26,6 +26,10 @@ roleRef: subjects: - kind: ServiceAccount name: pipeline-runner +# temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default +- kind: ServiceAccount + name: kf-user + namespace: kubeflow `) th.writeF("/manifests/pipeline/pipelines-runner/base/cluster-role.yaml", ` apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/tests/pipeline-pipelines-runner-overlays-application_test.go b/tests/pipeline-pipelines-runner-overlays-application_test.go index 5ad83f9e08..20c3361b4c 100644 --- a/tests/pipeline-pipelines-runner-overlays-application_test.go +++ b/tests/pipeline-pipelines-runner-overlays-application_test.go @@ -74,6 +74,10 @@ roleRef: subjects: - kind: ServiceAccount name: pipeline-runner +# temporarily switched to kf-user, because pipeline-runner isn't bound to workload identity by default +- kind: ServiceAccount + name: kf-user + namespace: kubeflow `) th.writeF("/manifests/pipeline/pipelines-runner/base/cluster-role.yaml", ` apiVersion: rbac.authorization.k8s.io/v1beta1