Nextflow fails to honour serviceAccount

[alanbchristie]

(in the latest Squonk deployment ... ORN Dev)

The error is caused by system:serviceaccount:squonk:default not being able to create Pods in thew Squonk namespace. By setting the appropriate role the default SA (like admin) it shows up in oc adm policy who-can create pods output.

Interestingly the CellExecutor Pod needed to be bounced for the change to take effect but we either need to:

• Add admin to default
• Have nextflow run jobs using the squonk SA.

[alanbchristie]

In the OpenShiftRunner we should be able to pass the project service account to nextflow via addExtraNextflowConfig().

At the same time we should also adjust the squonk-app-components.yaml template to define SQUONK_SERVICE_ACCOUNT as the OpenShiftRunner relies on default value of squonk (which happens to work).

[alanbchristie]

Having made changes a re-test in minishift still results in the same error, even with serviceAccount = 'squonk' now set. Started a chat on https://gitter.im/nextflow-io/nextflow with...

I'm trying to use the serviceAccount feature of the k8s config in an OpenShift environment. Pods in the namespace I'm running in cannot be launched or watched by the default SA. When I set the serviceAccount in the config the default account is still being used. I see this from nextflow: pods is forbidden: User "system:serviceaccount:squonk:default" cannot create pods in the namespace "squonk". Nextflow claims to have found the local configuration file which I know contains the line serviceAccount = 'squonk' so I would expect the user to be system:serviceaccount:squonk:squonk. Is there a way I can debug nextflow to understand why it's using the default account rather than the one defined in the config? At least to eliminate any error I have made.

[alanbchristie]

Problem initially caused by the service account of the main pod but service account of launched pods is still wrong. An issue has been raised in nextflow...

https://github.com/nextflow-io/nextflow/issues/1049

[alanbchristie]

A fix has been merged to master from the issue-34 branch (which has now been closed). Keeping this issue open until the nextflow problem is understand/resolved (and changing title of defect).