Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grant pipeline-runner k8s service account admin permission #220

Closed
IronPan opened this issue Nov 12, 2018 · 4 comments
Closed

Grant pipeline-runner k8s service account admin permission #220

IronPan opened this issue Nov 12, 2018 · 4 comments
Assignees
@IronPan
Labels
area/api kind/bug priority/p0

Comments

@IronPan
Copy link
Member

IronPan commented Nov 12, 2018

Currently if user's pipeline wants to launch a tf-job, job or other K8s resources, it will fail with following error

level=error msg="handle object: patching object from cluster: merging object with existing state: jobs.batch \"search-index-creator\" is forbidden: User \"system:serviceaccount:kubeflow:pipeline-runner\" cannot get jobs.batch in the namespace \"kubeflow\""

We need to grant pipeline-runner the admin permission so it can launch anything user specifies.
@IronPan IronPan self-assigned this Nov 12, 2018
@IronPan
Copy link
Member Author

IronPan commented Nov 13, 2018

To quickly unblock, you can run following command to grant the pipeline runner with enough permission

kubectl create clusterrolebinding pipelinerunnerbinding \
  --clusterrole=cluster-admin \
  --serviceaccount=kubeflow:pipeline-runner

@IronPan IronPan mentioned this issue Nov 13, 2018
Closed
@amygdala amygdala mentioned this issue Nov 16, 2018
Closed
@vicaire
Copy link
Contributor

vicaire commented Mar 27, 2019

Should it really be admin? Is there a way we could grant lesser privileges?

@IronPan
Copy link
Member Author

IronPan commented Mar 27, 2019

We can also add permission incrementally. but it's hard to predict what resource user want to launch from a pipeline. it could be, for example, a customized resource.

admin permission is fine as long as it's a single user scenario. for multi user case, i would hope to see how kubeflow sets things up and follow the same convention.

@ryandawsonuk ryandawsonuk mentioned this issue May 14, 2019
Closed
@IronPan
Copy link
Member Author

IronPan commented Jun 28, 2019

Update - The current set of permission is working fine, after adding admin permission for all Kubeflow resources and PV/PVC
https://github.com/kubeflow/pipelines/pull/1576/files

@IronPan IronPan closed this as completed Jun 28, 2019
magdalenakuhn17 pushed a commit to magdalenakuhn17/pipelines that referenced this issue Oct 22, 2023
@jc2729 @k8s-ci-robot
Tf2OpenAPI: Add CLI documentation (kubeflow#220)
ce876aa 
* Add CLI documentation

* Add cobra as explicit dependency

* update README with correct command
HumairAK referenced this issue in red-hat-data-services/data-science-pipelines Mar 11, 2024
@drewbutlerbb4
Fix runAfter specification failing to be parsed (#220)
81335e4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IronPan IronPan

Labels
area/api kind/bug priority/p0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IronPan @vicaire