Page MenuHomePhabricator
Create Task
Maniphest T374062

Support running a job using an alternate service account
Open, Needs TriagePublicFeature
Actions

Description

The k8s-status tool uses a special service account at runtime that gives it a read-only view across the entire cluster. See T233372: Create a "novaobserver" equivalent for Toolforge Kubernetes cluster inspection and https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Maintenance#wmcs-k8s-enable-cluster-monitor for more details about why and how this is possible.

Today k8s-status has to use a custom script to start its Pods. It would be more ideal if it could use the normal toolforge jobs ... command with a new argument something like --serviceAccount=k8s-status-obs to change its runtime service account.

The tool actually needs this functionality for running a webservice, but it seems reasonable to add the functionality to toolforge jobs and get webservice support via T348755: [jobs-api,webservice] Run webservices via the jobs framework.

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits