feat: add support for passing additional permissions to the agent role (

#71) * add support for dask cluster * Update charts/prefect-agent/values.yaml Co-authored-by: Michael Adkins <contact@zanie.dev> * update to allow addt permissions to be passed * readme docs * fix level Co-authored-by: Michael Adkins <contact@zanie.dev>
PrefectHQ · Oct 6, 2022 · c6c5c8c · c6c5c8c
1 parent bf577f1
commit c6c5c8c
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 1 deletion.
diff --git a/Readme.md b/Readme.md
@@ -167,6 +167,23 @@ If you are running in OpenShift, the default `restricted` security context const
 
 The other default settings, such as a read-only root filesystem, are suitable for an OpenShift environment.
 
+## Additional Permissions for Prefect Agent
+
+### Dask
+
+If you are running flows on your agent’s pod (i.e. with Process infrastructure), and using the Dask task runner to create Dask Kubernetes clusters, you will need to grant the following permissions within `values.yaml`.
+
+```yaml
+role:
+  extraPermissions:
+    - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    - apiGroups: ["policy"]
+    resources: ["poddisruptionbudgets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+```
+
 ## Troubleshooting
 
 ### The database deploys correctly but other services fail with "bad password"

diff --git a/charts/prefect-agent/README.md b/charts/prefect-agent/README.md
@@ -65,6 +65,7 @@ Prefect Agent application bundle
 | fullnameOverride | string | `"prefect-agent"` | fully override common.names.fullname |
 | nameOverride | string | `""` | partially overrides common.names.name |
 | namespaceOverride | string | `""` | fully override common.names.namespace |
+| role.extraPermissions | list | `[]` | array with extra permissions to add to the agent role |
 | serviceAccount.annotations | object | `{}` | additional service account annotations (evaluated as a template) |
 | serviceAccount.create | bool | `true` | specifies whether a ServiceAccount should be created |
 | serviceAccount.name | string | `""` | the name of the ServiceAccount to use. if not set and create is true, a name is generated using the common.names.fullname template |

diff --git a/charts/prefect-agent/templates/role.yaml b/charts/prefect-agent/templates/role.yaml
@@ -19,3 +19,6 @@ rules:
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+{{- if .Values.role.extraPermissions }}
+{{- include "common.tplvalues.render" (dict "value" .Values.role.extraPermissions "context" $) | nindent 0 }}
+{{- end }}
diff --git a/charts/prefect-agent/values.yaml b/charts/prefect-agent/values.yaml
@@ -65,7 +65,6 @@ agent:
     # -- prefect API url
     apiUrl: http://127.0.0.1:4200/api
 
-
   # -- number of agent replicas to deploy
   replicaCount: 1
 
@@ -137,3 +136,14 @@ serviceAccount:
   name: ""
   # -- additional service account annotations (evaluated as a template)
   annotations: {}
+
+## Role configuration
+role:
+  ## List of extra role permissions
+  ## e.g:
+  ## extraPermissions:
+  ##  - apiGroups: [""]
+  ##    resources: ["pods", "services"]
+  ##    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  # -- array with extra permissions to add to the agent role
+  extraPermissions: []