Container Groups and Namespaces

Get Help
, ,
1

I want to use a custom pod specification with a container group.

The AWX install is in namespace1

I have created a second namespace namespace2 where I want to run container group jobs.

Both namespaces are on the same Kubernetes cluster.

I created a service account with secret in namespace2. It has the rights to create secrets and run pods in namespace2

I created a credential of type Kubernetes Bearer Token using the certificate data and token of the service account from namespace2

I also created a container group that is linked to this credential

My expectation is that when the EE image runs, it uses this service account credential and creates a pod in namespace2

However, when running I get this error,

Error creating pod: pods is forbidden: User "system:serviceaccount:namespace2:serviceaccountname" cannot create resource "pods" in API group "" in the namespace "namespace1"

Why is it trying to create a pod in namespace1 instead of namespace2???

Bit frustrated. Any guidance is most appreciated!!

2

Hi @Jake_K

Have you modified the container group pod spec with the desired namespace?

Best regards,

Joe

3

Hi Joe,

Thanks for the response. Yes, I did update the namespace in the pod spec to the new namespace.

apiVersion: v1
kind: Pod
metadata:
  namespace: namespace2
spec:
  serviceAccountName: serviceaccountname
  automountServiceAccountToken: true

I have tried the following variations without success,

serviceAccountName: serviceaccountname and also serviceAccountName: default
automountServiceAccountToken: true and also automountServiceAccountToken: false

I also granted serviceaccountname pretty much all rights just to rule that out as the issue.

Does not seem to pick the right namespace :frowning:

Jake.

4

I have a setup similar to yours and it functions correctly. My spec is this

apiVersion: v1
kind: Pod
metadata:
  namespace: from-prod-awx
spec:
  serviceAccountName: default
  automountServiceAccountToken: false
  containers:
    - image: 'quay.io/ansible/awx-ee:latest'
      name: worker
      args:
        - ansible-runner
        - worker
        - '--private-data-dir=/runner'
      resources:
        requests:
          cpu: 250m
          memory: 100Mi

I have attached to it a credential of type ā€œOpenShift or Kubernetes API Bearer Tokenā€ with my kubernetes API endpoint defined in that cred.

This works as expected in my own AWX deployment, so all I can think of is to double check your AWX job template is configured to use the correct instance group for the namespace you want to use.

5

@mcen1 - Thanks for testing! So I assume the ā€œfrom-prod-awxā€ namespace is a different namespace from the one that the AWX tower is deployed to?

6

Different remote cluster and namespace, yes. I have a namespace for prod and nonprod and both work as expected.

7

@mcen1 - I have the same Credential (k8s API bearer token) configured both on the container group definition as well as on the template definition. Should I be only specifying it on the template and not on the container group? Or vice-versa? But otherwise, I do have the credential connected to both the template as well as the container group.

8

You donā€™t need the credential on the job template, just associated with the instance group. Since you are not seeing the right namespace, I suspect your job template isnā€™t configured to use that instance group and is just defaulting to the default instance group.

image
image913Ɨ694 24.7 KB

If you had an incorrect cred or one with insufficient permissions, youā€™d see an error about being unable to connect or create a pod or some other aspect of the necessary permissions. Your seeing pods in the wrong namespace seems to me like something simple is missing right now for you.

Try posting your job template with any sensitive info redacted, also the kubernetes cred youā€™re using too.

9

@mcen1 - Here are the screenshots:

Firstly, the credential configuration

ContainerGroup02
ContainerGroup021413Ɨ634 47.5 KB

And here is the Container Group. Please note that the XXX-awxexecution-dv-ns is the namespace where I want it to run

ContainerGroup03
ContainerGroup031387Ɨ768 51.9 KB

And finally the template itself

ContainerGroup01
ContainerGroup011348Ɨ1750 139 KB

Thanks!

10

Hmm, everything looks correct to me. Try running your job template with very high verbosity and see if it yields any insights.

11

Didnt realize there was a verbosity switch on the Template :slight_smile: Tried that. But the output message is exactly the same. No extra details than in Normal mode of logging.

12

What is the contents of your inventory associated to the template, MyContainerGroup01Inventory?

13

The ā€œInstance Groupsā€ is set to Mycontainergroup01ā€¦which is the name of my Container Group. I just have a dummy host called localhost with this variable yaml

{ā€˜ansible_hostā€™: ā€˜127.0.0.1ā€™, ā€˜ansible_connectionā€™: ā€˜localā€™}

14

Gotcha. Iā€™m out of ideas on things to check, your setup looks correct to me. Maybe thereā€™s some deep kubernetes/awx lore Iā€™m missing out on that made mine work

15

Hey @mcen1, I really appreciate that you took the time to review my configuration!!! Iā€™ll keep troubleshooting! :slight_smile: Cheers!!

16

Still no success. What I am concluding is that the container group set on the template is not getting used. Although the completed jobs show up with the correct container group name, I donā€™t think its really using the container group. That would explain why it is not using the right namespace. Also, other changes in my customized pod specification do not seem to be getting applied. Any thoughts on why it might be ignoring my container group??

17

Donā€™t know why it would be happening like what youā€™re describing. Just for giggles, in the AWX UI, go to instance groups and click on the ā€œdefaultā€ container group, then click on the Jobs tab. See if your jobs are landing in the default container group instead of your desired container group.

18

Good suggestion. I checked that also. The executed jobs all appear under the right container group instanceā€¦but I dont feel its using the custom pod specification. Reason I am suspecting this is because,

  • There is a custom namespace that it is ignoring
  • There is a volume mount I am trying to add. But when I query for mounts, it doesnt show up in the Ansible playbook

So I feel its either picking the right container group but then ignoring the custom pod spec. OR its not using the container group at all. Since the jobs show up on the right container group, I am thinking its more the former where its not applying the custom pod spec.

In this link it states,
Note that the image used by a job running in a container group is always overridden by the Execution Environment associated with the job.

Does that mean it will also ignore the custom pod spec? If I blank out the Execution environment on the template, it still picks ā€œAWX EE (24.6.1)ā€ as default.

19

Interestingā€¦

What version of AWX are you running?

Also, if you look at a recent job run from your job templateā€™s ā€œJobā€ history tab and click on it, do you see that job run indeed used the container group you expected it to in the ā€œjob detailsā€ tab (see pic below)? If so, can you click on container group nameā€™s link from that piece of the UI and validate the container group is the one with your desired pod spec?

image
image1514Ɨ600 35.1 KB

Your issue is very odd and Iā€™m academically curious what may be going wrong. I canā€™t think of solutions, only some other ideas for troubleshooting.

20

And I really appreciate all the interest and troubleshooting advice you have provided! Otherwise, its so easy to lose heart and walk away if community support is lacking :slight_smile: So thanks again!

Version is core 2.18.7

Yes, the container group its showing on the job is the right one.