Hey! When setting a custom service account name with:
serviceAccount:
name: "infra-datalore-dev"
The datalore logs show lots of these errors:
11:18:33.896 WARN [Datalore EDT Manager] j.d.n.s.c.a.i.i.k.KubernetesInstanceManager - Exception during creating k8s agent: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:infra-datalore:infra-datalore-dev\" cannot create resource \"pods\" in API group \"\" in the namespace \"infra-datalore\"","reason":"Forbidden","details":{"kind":"pods"},"code":403}
Which I think is based on using datalore.fullname instead of datalore.serviceAccountName in line 14 in charts/datalore/templates/rolebinding.yaml:
{{- if .Values.serviceAccount.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "datalore.fullname" . }}
labels:
{{- include "datalore.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "datalore.fullname" . }}
apiGroup: ""
subjects:
- kind: ServiceAccount
name: {{ include "datalore.fullname" . }}
{{- end }}
When setting the custom service account name to the same as datalore.fullname the errors go away and everything works fine.
Hey! When setting a custom service account name with:
The datalore logs show lots of these errors:
Which I think is based on using
datalore.fullname
instead ofdatalore.serviceAccountName
in line 14 incharts/datalore/templates/rolebinding.yaml
:When setting the custom service account name to the same as
datalore.fullname
the errors go away and everything works fine.