8

当我在 Airflow 1.10 版中使用KubernetesPodOperator运行 docker 映像时

一旦 pod 成功完成任务,airflow 会尝试通过 k8s 流客户端与 pod 建立连接来获取 xcom 值。

以下是我遇到的错误:

[2018-12-18 05:29:02,209] {{models.py:1760}} ERROR - (0)
Reason: Handshake status 403 Forbidden
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/kubernetes/stream/ws_client.py", line 249, in websocket_call
    client = WSClient(configuration, get_websocket_url(url), headers)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/stream/ws_client.py", line 72, in __init__
    self.sock.connect(url, header=header)
  File "/usr/local/lib/python3.6/site-packages/websocket/_core.py", line 223, in connect
    self.handshake_response = handshake(self.sock, *addrs, **options)
  File "/usr/local/lib/python3.6/site-packages/websocket/_handshake.py", line 79, in handshake
    status, resp = _get_resp_headers(sock)
  File "/usr/local/lib/python3.6/site-packages/websocket/_handshake.py", line 152, in _get_resp_headers
    raise WebSocketBadStatusException("Handshake status %d %s", status, status_message)
websocket._exceptions.WebSocketBadStatusException: Handshake status 403 Forbidden

我为此使用 K8s 服务帐户

DAG 配置

xcom=真,

get_logs=真,

in_cluster=true

4

2 回答 2

7

所以我们也遇到了这个问题,我们不得不修改我们的 rbac 规则,特别是我们必须使用动词“create”和“get”添加资源“pods/exec”

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-runner
rules:
- apiGroups: [""]
  resources: ["deployments", "pods", "pods/log", "pods/exec", "persistentvolumeclaims"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["singleuser-image-credentials"]
  verbs: ["read","list","watch","create","get"]
于 2019-03-07T02:26:23.507 回答
0

就我而言,我在 kubernetes 集群中运行一个带有 python 脚本的 pod,其中运行了另一个 pod。该脚本尝试对其他 pod 执行操作,例如list,getexecpod 内的命令。使用exec,以下 ClusterRole 和 ClusterRoleBinding 有效。

ClusterRole

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-exec
rules:
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["*"]

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pod-exec
subjects:
- kind: ServiceAccount
  name: default
  namespace: couchdb
roleRef:
  kind: ClusterRole
  name: pod-exec
  apiGroup: rbac.authorization.k8s.io

请记住更改您的ServiceAccount和的名称namespace

于 2021-10-18T13:07:52.063 回答