Airflow - KubernetesPodOperator - Role binding a service account

Question

I am currently using the KubernetesPodOperator to run a Pod on a Kubernetes cluster. I am getting the below error:

kubernetes.client.rest.ApiException: (403) Reason: Forbidden

HTTP response headers: HTTPHeaderDict({'Audit-Id': '', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 30 Aug 2021 00:12:57 GMT', 'Content-Length': '309'})

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User "system:serviceaccount:airflow10:airflow-worker-serviceaccount" cannot list resource "pods" in API group "" in the namespace "default"","reason":"Forbidden","details":{"kind":"pods"},"code":403}

I can resolve this by running the below commands:

kubectl create clusterrole pod-creator --verb=create,get,list,watch --resource=pods

kubectl create clusterrolebinding pod-creator-clusterrolebinding --clusterrole=pod-creator --serviceaccount=airflow10:airflow-worker-serviceaccount

But I want to be able to setup the service account with the correct permissions inside airflow automatically. What would be a good approach to do this without having to run the above commands?

Answer 1

You can't really. You need to assign and create the roles when you deploy airflow, otherwise that would mean that you have huge security risk because deployed application would be able to give more permissions.

This can be done in multiple ways "automatically" if your intention was to somewhat automate the deployment. For example if your airflow deployment is done via Helm chart, the chart can add an configure the right resources to create appropriate role bindings. You can see how our Official Helm chart does it:

• https://github.com/apache/airflow/blob/main/chart/templates/rbac/pod-launcher-role.yaml
• https://github.com/apache/airflow/blob/main/chart/templates/rbac/pod-launcher-rolebinding.yaml