Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[platform] Service Account missing from workload-launcher spawned pods #48888

Open
joeybenamy opened this issue Dec 10, 2024 · 3 comments
Open
Labels
area/platform issues related to the platform community team/deployments type/bug Something isn't working

Comments

@joeybenamy
Copy link

joeybenamy commented Dec 10, 2024

Helm Chart Version

1.3.0

What step the error happened?

During the Sync

Relevant information

The pods that the workload launcher spawns have the service account set to default instead of the service account set in Helm values and used by the workload-launcher itself. We need the same service account mapped to the spawned pods so that we can write logs to AWS S3 using the IAM role mapped to the Kubernetes service account. I believe the issue is that the pod factory for the workload launcher does not specify a service account.

Perhaps in:
https://github.com/airbytehq/airbyte-platform/blob/2c4dffdd701ee1977c0a56d78fe2b0c3aee7624f/airbyte-workload-launcher/src/main/kotlin/pods/factories/InitContainerFactory.kt#L44C25-L44C26

The container builder should be modified to:

        return ContainerBuilder()
            .withName(ContainerConstants.INIT_CONTAINER_NAME)
            .withImage(resolvedImage)
            .withImagePullPolicy(initContainerInfo.pullPolicy)
            .withWorkingDir(FileConstants.CONFIG_DIR)
            .withResources(resourceReqs)
            .withVolumeMounts(volumeMounts)
            .withSecurityContext(workloadSecurityContextProvider.rootlessContainerSecurityContext())
            .withEnv(envVars + runtimeEnvVars)
            .withServiceAccount(serviceAccountName) // Add this line
            .build()

The service account should probably be added to the other container and pod factories as well, if set in Helm values.

Relevant log output

@descampsk
Copy link
Contributor

descampsk commented Dec 11, 2024

It worked in 1.2.0, I suspect a regression with the 1.3.0 upgrade.

Our bigquery destination does not work anymore with default credentials : "Access Denied: Dataset get-actionable-dev:airbyte_europe_west1: Permission bigquery.datasets.get denied on dataset"

Before it has the right service account associated.

@descampsk
Copy link
Contributor

In 1.3.0, the pod has:

  serviceAccount: default
  serviceAccountName: default

But in 1.2.0:

  serviceAccount: airbyte-admin
  serviceAccountName: airbyte-admin

@marcosmarxm
Copy link
Member

@airbytehq/platform-deployments can someone take a look into this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/platform issues related to the platform community team/deployments type/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants