Airflow k8s操作员XCOM-禁止握手状态403 [英] Airflow k8s operator xcom - Handshake status 403 Forbidden

问题描述

当我在Airflow版本1.10中使用 KubernetesPodOperator 运行docker映像时

When I run a docker image using KubernetesPodOperator in Airflow version 1.10

一旦Pod成功完成任务，气流就会尝试通过k8s流客户端与Pod建立连接来获取xcom值.

Once the pod finishes the task successfullly, airflow tries to get the xcom value by making a connection to the pod via k8s stream client.

以下是我遇到的错误:

[2018-12-18 05:29:02,209] {{models.py:1760}} ERROR - (0)
Reason: Handshake status 403 Forbidden
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/kubernetes/stream/ws_client.py", line 249, in websocket_call
    client = WSClient(configuration, get_websocket_url(url), headers)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/stream/ws_client.py", line 72, in __init__
    self.sock.connect(url, header=header)
  File "/usr/local/lib/python3.6/site-packages/websocket/_core.py", line 223, in connect
    self.handshake_response = handshake(self.sock, *addrs, **options)
  File "/usr/local/lib/python3.6/site-packages/websocket/_handshake.py", line 79, in handshake
    status, resp = _get_resp_headers(sock)
  File "/usr/local/lib/python3.6/site-packages/websocket/_handshake.py", line 152, in _get_resp_headers
    raise WebSocketBadStatusException("Handshake status %d %s", status, status_message)
websocket._exceptions.WebSocketBadStatusException: Handshake status 403 Forbidden

我正在为此使用K8s服务帐户

I'm using K8s service account for this

DAG配置

xcom = true，

xcom=true,

get_logs = True，

get_logs=True,

in_cluster = true

in_cluster=true

推荐答案

所以我们也遇到了这个问题，我们不得不修改rbac规则，特别是必须添加动词"create"的资源"pods/exec" "和获取"

So we also hit this problem, we had to modify our rbac rules, in particular we had to add the resource "pods/exec" with the verbs "create" and "get"

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-runner
rules:
- apiGroups: [""]
  resources: ["deployments", "pods", "pods/log", "pods/exec", "persistentvolumeclaims"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["singleuser-image-credentials"]
  verbs: ["read","list","watch","create","get"]

这篇关于Airflow k8s操作员XCOM-禁止握手状态403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！