-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grant S3 access to notebook & dask pods #618
Conversation
eksctl [supports](https://eksctl.io/usage/iamserviceaccounts/#usage-with-config-files) creating kubernetes service acocunts bound with [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). We create one with S3 access, and bind it to our notebook and dask pods. This should give them full s3 access. Remove separate eksctl cluster jsonnet object, since it was not doing anything useful. Stolen from 2i2c-org#436 Fixes 2i2c-org#492
I've deployed this |
Question here related to 2i2c-org/team-compass#175 - since you've already deployed this PR, what kind of feedback are you looking for in a review? Is there something specific you think needs eyeballs? More generally, my instinct is that we should keep "merge" as an automatic step after "deploy". If something is deployed but not merged, then there's a mismatch between the state of the infrastructure and the state of our repositories, right? If that's the case, my feeling is that our policy should be "ask for reviews before deploying (if it's the kind of change that requires reviews), and once deployed, immediately merge" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from what I can tell! Novice to jsonnet syntax though.
@choldgraf good question. So this was deployed, but @jhamman tested it and found bugs. so I'll amend this PR until it works and then merge it. This is similar to how it played out in #605 - @consideRatio provided valuble feedback that changed the PR before it was deployed. So I've amended and deployed this PR again, and am waiting for Joe to test this again.
I completely agree! However, I think for deployments reviews will not catch a lot of issues until after deployment, since we don't actually know how things will turn out until the deployment happens. Deploying is a bit like running code you write locally - it feels kinda wrong to ask people to review it without making any deploys, since it's like asking people to review code you haven't run locally... So I'm not actually sure what the right thing to do here is, and I seem to be changing my mind here many times. |
Thanks, @consideRatio. @choldgraf I agree that me merging this after I deployed it was probably the right thing to do - but I wanted to make sure I could both get @jhamman to test it and @consideRatio to review it. Some sort of post-deploy (not necessarily post-merge?) review... |
This is when having some real "staging" scenario could help, IMHO. |
Btw, belated review on the code and LGTM 😉 |
eksctl
supports
creating kubernetes service acocunts bound with
IRSA.
We create one with S3 access, and bind it to our notebook and dask
pods. This should give them full s3 access.
Remove separate eksctl cluster jsonnet object, since it was
not doing anything useful.
Stolen from #436
Fixes #492