Is it possible to configure the service account for a Workflow's task node? #4368
Unanswered
timflannagan
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey folks - great project. I've been playing around with a Workflow CR that configures several task nodes, and I'm wondering whether it's possible to configure the service account that gets used for the underlying Pod that gets spawned for a task node within a workflow's execution.
The use case here is I want to be able to configure a task that spawns a container image with kubectl installed to apply inline YAML resources, but I'm running into RBAC issues attempting to persist those resources to the cluster. Looking at the underlying Pod that gets created in the chaos-mesh namespace, the issue is that the "default" ServiceAccount resource doesn't have the requisite permissions to create the desired custom resource outlined within that task.
Being able to override the serviceAccountName on the Pod with a service account that has the proper RBAC permissions would make the workflow a bit simple. Otherwise, I can create the necessary RBAC during test initialization so this would be more-or-less a quality of life (QoL) fix than a legitimate blocker.
I went through the open issues & the helm chart values and didn't see anything immediately configurable, but it's possible I'm missing something obvious here.
Beta Was this translation helpful? Give feedback.
All reactions