zenml
zenml copied to clipboard
zenml-io
[BUG]: kubernetes orchestrator fails trying to create clusterrolebinding instead of rolebinding
Contact Details [Optional]
System Information
encountered with zenml 0.43.0 but affects latest version
What happened?
The Kubernetes orchestrator, when creating a service account to run pipeline pods (as per https://docs.zenml.io/v/docs/stacks-and-components/component-guide/orchestrators/kubernetes#additional-configuration), tries to create a ClusterRoleBinding to the "edit" ClusterRole. This however would mean that this service account would have global access to all namespaces, which is a security concern, so in a securely set up production cluster creating this ClusterRoleBinding would be prohibited.
At the same time, it shouldn't be necessary to create this ClusterRoleBinding to begin with, as the service account should only need "edit" entitlements for the target namespace in which it is going to run the pipeline. This means the orchestrator should create a RoleBinding instead of a ClusterRoleBinding to the "edit" ClusterRole here: https://github.com/zenml-io/zenml/blob/main/src/zenml/integrations/kubernetes/orchestrators/manifest_utils.py#L290
Reproduction steps
...
Relevant log output
HTTP response body:
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"c
lusterrolebindings.rbac.authorization.k8s.io is forbidden: User
\"system:serviceaccount:testnamespace:zenml\" cannot create resource
\"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the
cluster
scope","reason":"Forbidden","details":{"group":"rbac.authorization.k8s.io","kind
":"clusterrolebindings"},"code":403}
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
