Sure. We’re running Prefect Cloud, agent is 2.7.8-python3.9
I created the deployment via the CLI just as you suggested in another post and everything looked good. I manually set up my own kubernetes-job infrastructure block by following guidance from this article. When I kick off a quick run of the deployment, it downloads the flow, installs my python packages but errors out. I see the error when I check the agent container logs as well as in the UI under flow runs on the right side under “State Message”.
Here’s the full error:
Submission failed.
kubernetes.client.exceptions.ApiException: (403) Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'cde075a5-295d-4ae6-91d3-ac77bb1b54a7', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': 'e1dae13e-5384-4153-ab9d-600428fb2323', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'af721c74-081b-44a4-aafd-cbe63a8a4ff6', 'Date': 'Fri, 13 Jan 2023 18:02:30 GMT', 'Content-Length': '340'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:prefect:default\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"","reason":"Forbidden","details":{"name":"kube-system","kind":"namespaces"},"code":403}
The only thing the Flow Run logs show is:
Downloading flow code from storage at 'flows'
The container log show a little more, particularly in kubernetes.py line 397 in _get_cluser_uid :
18:02:30.398 | INFO | prefect.agent - Submitting flow run 'edbbab26-07ab-4719-b008-b4b7c3995f9e'
18:02:30.903 | ERROR | prefect.agent - Failed to submit flow run 'edbbab26-07ab-4719-b008-b4b7c3995f9e' to infrastructure.
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/prefect/agent.py", line 424, in _submit_run_and_capture_errors
result = await infrastructure.run(task_status=task_status)
File "/usr/local/lib/python3.9/site-packages/prefect/infrastructure/kubernetes.py", line 279, in run
pid = await run_sync_in_worker_thread(self._get_infrastructure_pid, job)
File "/usr/local/lib/python3.9/site-packages/prefect/utilities/asyncutils.py", line 91, in run_sync_in_worker_thread
return await anyio.to_thread.run_sync(
File "/usr/local/lib/python3.9/site-packages/anyio/to_thread.py", line 31, in run_sync
return await get_asynclib().run_sync_in_worker_thread(
File "/usr/local/lib/python3.9/site-packages/anyio/_backends/_asyncio.py", line 937, in run_sync_in_worker_thread
return await future
File "/usr/local/lib/python3.9/site-packages/anyio/_backends/_asyncio.py", line 867, in run
result = context.run(func, *args)
File "/usr/local/lib/python3.9/site-packages/prefect/infrastructure/kubernetes.py", line 361, in _get_infrastructure_pid
cluster_uid = self._get_cluster_uid()
File "/usr/local/lib/python3.9/site-packages/prefect/infrastructure/kubernetes.py", line 397, in _get_cluster_uid
namespace = client.read_namespace("kube-system")
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", line 22476, in read_namespace
return self.read_namespace_with_http_info(name, **kwargs) # noqa: E501
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api/core_v1_api.py", line 22555, in read_namespace_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/api_client.py", line 373, in request
return self.rest_client.GET(url,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", line 241, in GET
return self.request("GET", url,
File "/usr/local/lib/python3.9/site-packages/kubernetes/client/rest.py", line 235, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'cde075a5-295d-4ae6-91d3-ac77bb1b54a7', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': 'e1dae13e-5384-4153-ab9d-600428fb2323', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'af721c74-081b-44a4-aafd-cbe63a8a4ff6', 'Date': 'Fri, 13 Jan 2023 18:02:30 GMT', 'Content-Length': '340'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces \"kube-system\" is forbidden: User \"system:serviceaccount:prefect:default\" cannot get resource \"namespaces\" in API group \"\" in the namespace \"kube-system\"","reason":"Forbidden","details":{"name":"kube-system","kind":"namespaces"},"code":403}
18:02:30.908 | INFO | prefect.agent - Completed submission of flow run 'edbbab26-07ab-4719-b008-b4b7c3995f9e'