Worker role

[gitarns]

Hello,

The worker role installed by the helm chart doesn't have enough permission: The Role is scoped to the namespace the worker is installed in. But it needs to access to ressource "namespace" in the kube-system namespace.

kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'e24793ea-d6b0-414d-aba7-b4517078ebdb', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '91794b96-4ad8-4ed1-835f-740d9c7038b2', 'X-Kubernetes-Pf-Prioritylevel-Uid': '4b6fdf19-07ef-4fba-927f-abe6e76949a1', 'Date': 'Wed, 28 Feb 2024 13:45:56 GMT', 'Content-Length': '351'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:prefect-dcb:prefect-worker\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"","reason":"Forbidden","details":{"name":"kube-system","kind":"namespaces"},"code":403}

[jamiezieziula]

Hi @gitarns, as defined here, the worker attempts to read the kube-system namespace for its unique ID. This is used by prefect to identify the cluster in which the worker is deployed. By using the Helm Chart, the Chart on install should do this for you, removing the need for the worker service account itself to access the kube-system namespace. If it is failing, you can always provide your own unique ID at worker.clusterUid.