You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Switch the Kubernetes client call to read_namespaced_pod_status() to read_namespaced_pod(), which is functionally the same but requires fewer permissions. (#3487)
Switch the Kubernetes client call to read_namespaced_pod_status() to read_namespaced_pod(), which is functionally the same but requires fewer permissions
This change is based on the comment kubernetes-client/python#993 (comment). Similar to the user in the reporter of that issue, I was seeing forbidden permission when making the read_namespaced_pod_status() call, and according to the discussion there, this can be fixed by using read_namespaced_pod() instead which is almost exactly the same request/response (except the metadata.selfLink field, which is not used by the parsl code). It seems that the read_namespaced_pod_status() call requires an additional permission on "pods/status", while read_namespaced_pod() does not (I didn't check but I can only assume the latter is using permissions on the pod itself that other parts of the parsl code likely would require as well).
For Google Kubernetes Engine in particular, the predefined "Kubernetes Engine Developer" IAM role grants sufficient permissions for read_namespaced_pod() and everything else needed by parsl but not for read_namespaced_pod_status().
0 commit comments