Open aballiet opened 4 months ago
Currently ones need to setup cluster role for Kestra in order to make it able to create Pods and stream execution logs.
We do it like this :
resource "kubernetes_cluster_role" "pod_creator" { metadata { name = "pod-creator" } rule { api_groups = [""] resources = ["namespaces", "pods"] verbs = ["get", "list", "watch", "create", "delete"] } } resource "kubernetes_cluster_role" "pod_log_reader" { metadata { name = "pod-log-reader" } rule { api_groups = [""] resources = ["pods/log"] verbs = ["get", "list"] } } resource "kubernetes_cluster_role" "pod_executor" { metadata { name = "pod-executor" } rule { api_groups = [""] resources = ["pods/exec"] verbs = ["get", "post"] } } resource "kubernetes_cluster_role_binding" "kestra_pod_creator" { metadata { name = "kestra-pod-creator" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "pod-creator" } subject { kind = "User" name = "system:serviceaccount:kestra:default" namespace = "kestra" } } resource "kubernetes_cluster_role_binding" "kestra_pod_log_reader" { metadata { name = "kestra-pod-log-reader" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "pod-log-reader" } subject { kind = "User" name = "system:serviceaccount:kestra:default" namespace = "kestra" } } resource "kubernetes_cluster_role_binding" "kestra_pod_executor" { metadata { name = "kestra-pod-executor" } role_ref { api_group = "rbac.authorization.k8s.io" kind = "ClusterRole" name = "pod-executor" } subject { kind = "User" name = "system:serviceaccount:kestra:default" namespace = "kestra" } }
Whereas, it could be embedded directly in the Kestra helm chart using templating like Airbyte does here :
--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "airbyte.serviceAccountName" . }}-role rules: - apiGroups: ["*"] resources: ["jobs", "pods", "pods/log", "pods/exec", "pods/attach"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # over-permission for now --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "airbyte.serviceAccountName" . }}-binding roleRef: apiGroup: "" kind: Role name: {{ include "airbyte.serviceAccountName" . }}-role subjects: - kind: ServiceAccount name: {{ include "airbyte.serviceAccountName" . }} {{- end }}
Feature description
Currently ones need to setup cluster role for Kestra in order to make it able to create Pods and stream execution logs.
We do it like this :
Whereas, it could be embedded directly in the Kestra helm chart using templating like Airbyte does here :