I am currently using the KubernetesPodOperator to run a Pod on a Kubernetes cluster. I am getting the below error:
kubernetes.client.rest.ApiException: (403) Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 30 Aug 2021 00:12:57 GMT', 'Content-Length': '309'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User "system:serviceaccount:airflow10:airflow-worker-serviceaccount" cannot list resource "pods" in API group "" in the namespace "default"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
I can resolve this by running the below commands:
kubectl create clusterrole pod-creator --verb=create,get,list,watch --resource=pods
kubectl create clusterrolebinding pod-creator-clusterrolebinding --clusterrole=pod-creator --serviceaccount=airflow10:airflow-worker-serviceaccount
But I want to be able to setup the service account with the correct permissions inside airflow automatically. What would be a good approach to do this without having to run the above commands?
You can't really. You need to assign and create the roles when you deploy airflow, otherwise that would mean that you have huge security risk because deployed application would be able to give more permissions.
This can be done in multiple ways "automatically" if your intention was to somewhat automate the deployment. For example if your airflow deployment is done via Helm chart, the chart can add an configure the right resources to create appropriate role bindings. You can see how our Official Helm chart does it: