LamaAni
commented
2 years ago The would probably mean that the user running withing the pod (E.g. the helm chart user) dose not have permissions to access the resources and create new jobs/pods/etc resources. This is a result of the helm chart user attempting to access the Kubernetes cluster api (rest api, in this case) from within the executing worker pod.
The error comes from withing the helm chart and is best address there.
The solution is to create a role that allows the required permissions, and is apply it to the airflow user (see above) in the executing namespace. I also do believe the helm chart has the option to change the airflow user Kubernetes permissions, but was unable to find the exect config. You can search it here
To test, you can install/download the kubectl cli into your running worker pod and try to execute commands with the cli. e.g. kubectl get pods or kubectl run... for example.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: airflow-extra-permissions
rules:
- apiGroups:
- ""
- "apps"
- "batch"
resources:
- endpoints
- deployments
- pods
- jobs
verbs:
- *
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: airflow-extra-permissions
namespace: [the namespace where you are running]
subjects:
- kind: ServiceAccount
name: airflow-worker
namespace: [the namespace where you are running]
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: airflow-extra-permissions
We use official helmchart apache-airflow/airflow, in trying this operator starting pod fails with following error: