Adding annotations to the workflow pod

[SandraGH5]

We have EKS installation with the cilium network overlay. This means that node roles don't work unless workflows run on hostNetwork. We could set up the service accounts and bind those to the roles, but project-namespaces makes it a bit complex (in our case it means a terraforming per project).
One solution could be to use kube2iam, but I am not sure how to add annotations to the workflow pod. Do you have some recommendations about which documentation could help us? Tips to solve the problem are also very welcome. And please let us know if cilium networking is pure madness with eks/flyte.

• Sami Kallio

[SandraGH5]

Kiam was actually used for a long time at Lyft with Flyte. And it worked well, but kiam has some bugs that may affect performance. It takes more time to patch a role sometimes. So we would inject an iam Wait container for every pod, as an init container, that would way fit Iam. It is not very stable at really high scale. But other than that there is native support for it.

Here is the api - https://docs.flyte.org/projects/flyteidl/en/stable/protos/docs/admin/admin.html#executionspec

Auth role or annotations can be passed to the launchplan or execution.

Refer to the docs here - https://docs.flyte.org/projects/flytekit/en/latest/generated/flytekit.LaunchPlan.html#flytekit-launchplan

So, you can use the

AuthRole(assumable_iam_role="my:iam:role")

in your launch plan creation, or you can use annotations:

labels_model = Labels({"label": "foo"})
annotations_model = Annotations({"annotate": "bar"})
launch_plan.LaunchPlan.get_or_create(
    workflow=wf,
    name="your_lp_name_4",
    auth_role=auth_role_model,
    labels=labels_model,
    annotations=annotations_model,
)

This will apply to every execution of this launch plan.

@kumare3