From c6c5c8c043b1c7e65e3819b504942f7a3b9b710b Mon Sep 17 00:00:00 2001 From: Jamie Zieziula Date: Thu, 6 Oct 2022 16:25:52 -0400 Subject: [PATCH] feat: add support for passing additional permissions to the agent role (#71) * add support for dask cluster * Update charts/prefect-agent/values.yaml Co-authored-by: Michael Adkins * update to allow addt permissions to be passed * readme docs * fix level Co-authored-by: Michael Adkins --- Readme.md | 17 +++++++++++++++++ charts/prefect-agent/README.md | 1 + charts/prefect-agent/templates/role.yaml | 3 +++ charts/prefect-agent/values.yaml | 12 +++++++++++- 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 37227b12..785fa56b 100644 --- a/Readme.md +++ b/Readme.md @@ -167,6 +167,23 @@ If you are running in OpenShift, the default `restricted` security context const The other default settings, such as a read-only root filesystem, are suitable for an OpenShift environment. +## Additional Permissions for Prefect Agent + +### Dask + +If you are running flows on your agent’s pod (i.e. with Process infrastructure), and using the Dask task runner to create Dask Kubernetes clusters, you will need to grant the following permissions within `values.yaml`. + +```yaml +role: + extraPermissions: + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +``` + ## Troubleshooting ### The database deploys correctly but other services fail with "bad password" diff --git a/charts/prefect-agent/README.md b/charts/prefect-agent/README.md index 1d51efb6..b7fc2d70 100644 --- a/charts/prefect-agent/README.md +++ b/charts/prefect-agent/README.md @@ -65,6 +65,7 @@ Prefect Agent application bundle | fullnameOverride | string | `"prefect-agent"` | fully override common.names.fullname | | nameOverride | string | `""` | partially overrides common.names.name | | namespaceOverride | string | `""` | fully override common.names.namespace | +| role.extraPermissions | list | `[]` | array with extra permissions to add to the agent role | | serviceAccount.annotations | object | `{}` | additional service account annotations (evaluated as a template) | | serviceAccount.create | bool | `true` | specifies whether a ServiceAccount should be created | | serviceAccount.name | string | `""` | the name of the ServiceAccount to use. if not set and create is true, a name is generated using the common.names.fullname template | diff --git a/charts/prefect-agent/templates/role.yaml b/charts/prefect-agent/templates/role.yaml index 320b7783..3173efdc 100644 --- a/charts/prefect-agent/templates/role.yaml +++ b/charts/prefect-agent/templates/role.yaml @@ -19,3 +19,6 @@ rules: - apiGroups: ["batch"] resources: ["jobs"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] +{{- if .Values.role.extraPermissions }} +{{- include "common.tplvalues.render" (dict "value" .Values.role.extraPermissions "context" $) | nindent 0 }} +{{- end }} diff --git a/charts/prefect-agent/values.yaml b/charts/prefect-agent/values.yaml index b9d0960e..2041eb63 100644 --- a/charts/prefect-agent/values.yaml +++ b/charts/prefect-agent/values.yaml @@ -65,7 +65,6 @@ agent: # -- prefect API url apiUrl: http://127.0.0.1:4200/api - # -- number of agent replicas to deploy replicaCount: 1 @@ -137,3 +136,14 @@ serviceAccount: name: "" # -- additional service account annotations (evaluated as a template) annotations: {} + +## Role configuration +role: + ## List of extra role permissions + ## e.g: + ## extraPermissions: + ## - apiGroups: [""] + ## resources: ["pods", "services"] + ## verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + # -- array with extra permissions to add to the agent role + extraPermissions: []