Hello guys,
I ran into an issue with pipeline running on kubeflow kale
OS : ubuntu 18.04
K8s: v1.18.9
kubeflow 1.2
kale 0.7.0
(data) = self.read_namespaced_pod_with_http_info(name, namespace, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/core_v1_api.py", line 18537, in read_namespaced_pod_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 334, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 168, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 355, in request
headers=headers)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/rest.py", line 231, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/rest.py", line 222, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 27 Aug 2021 06:56:12 GMT', 'Content-Length': '361'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"basicpipeline-79d82-1230976297\" is forbidden: User \"system:serviceaccount:mtcai-sandbox:default-editor\" cannot get resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"name":"basicpipeline-79d82-1230976297","kind":"pods"},"code":403}
It just happened when the pipeline pod is being created
What I'm curious on this is
my pod is properly configured with default-editor serviceaccount
and this serviceaccount(default-editor) is also well bound with a clusterrole (kubeflow-edit) which has get (and other stuffs too) role to pods in the same namespace, through rolebinding default-editor
which are all kubeflow default settings.
can't show all the k8s resources' set ups because of some issues.
Hope someone can solve this weird issue.
Hello guys, I ran into an issue with pipeline running on kubeflow kale
OS : ubuntu 18.04 K8s: v1.18.9 kubeflow 1.2 kale 0.7.0
(data) = self.read_namespaced_pod_with_http_info(name, namespace, **kwargs) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/core_v1_api.py", line 18537, in read_namespaced_pod_with_http_info collection_formats=collection_formats) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 334, in call_api _return_http_data_only, collection_formats, _preload_content, _request_timeout) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 168, in __call_api _request_timeout=_request_timeout) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 355, in request headers=headers) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/rest.py", line 231, in GET query_params=query_params) File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/rest.py", line 222, in request raise ApiException(http_resp=r) kubernetes.client.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 27 Aug 2021 06:56:12 GMT', 'Content-Length': '361'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"basicpipeline-79d82-1230976297\" is forbidden: User \"system:serviceaccount:mtcai-sandbox:default-editor\" cannot get resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"name":"basicpipeline-79d82-1230976297","kind":"pods"},"code":403}
It just happened when the pipeline pod is being created
What I'm curious on this is my pod is properly configured with default-editor serviceaccount and this serviceaccount(default-editor) is also well bound with a clusterrole (kubeflow-edit) which has get (and other stuffs too) role to pods in the same namespace, through rolebinding default-editor which are all kubeflow default settings.
can't show all the k8s resources' set ups because of some issues. Hope someone can solve this weird issue.