Improve the error message when insufficent RBAC privileges is detected (

resolves argoproj#659)
sivam1 · Jan 11, 2018 · 80f9b1b · 80f9b1b
1 parent 3cf67df
commit 80f9b1b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/cmd/argo/commands/get.go b/cmd/argo/commands/get.go
@@ -71,6 +71,11 @@ func printWorkflowHelper(wf *wfv1.Workflow) {
  const fmtStr = "%-17s %v\n"
  fmt.Printf(fmtStr, "Name:", wf.ObjectMeta.Name)
  fmt.Printf(fmtStr, "Namespace:", wf.ObjectMeta.Namespace)
+ serviceAccount := wf.Spec.ServiceAccountName
+ if serviceAccount == "" {
+ serviceAccount = "default"
+ }
+ fmt.Printf(fmtStr, "ServiceAccount:", serviceAccount)
  fmt.Printf(fmtStr, "Status:", worklowStatus(wf))
  if wf.Status.Message != "" {
  fmt.Printf(fmtStr, "Message:", wf.Status.Message)

diff --git a/workflow/controller/operator.go b/workflow/controller/operator.go
@@ -501,13 +501,20 @@ func inferFailedReason(pod *apiv1.Pod) (wfv1.NodePhase, string) {
  continue
  }
  if ctr.Name == common.WaitContainerName {
- errMsg := fmt.Sprintf("failed to save artifacts")
+ errDetails := ""
  for _, msg := range []string{annotatedMsg, ctr.State.Terminated.Message} {
  if msg != "" {
- errMsg += ": " + msg
+ errDetails = msg
  break
  }
  }
+ if errDetails == "" {
+ // executor is expected to annotate a message to the pod upon any errors.
+ // If we failed to see the annotated message, it is likely the pod ran with
+ // insufficient privileges. Give a hint to that effect.
+ errDetails = fmt.Sprintf("verify serviceaccount %s:%s has necessary privileges", pod.ObjectMeta.Namespace, pod.Spec.ServiceAccountName)
+ }
+ errMsg := fmt.Sprintf("failed to save outputs: %s", errDetails)
  failMessages[ctr.Name] = errMsg
  } else {
  if ctr.State.Terminated.Message != "" {