Implementation:Kubeflow Pipelines Pipeline Runner Role
| Knowledge Sources | |
|---|---|
| Domains | RBAC, Kubernetes, Pipeline_Execution |
| Last Updated | 2026-02-13 14:00 GMT |
Overview
RBAC Role defining the broad permissions used by the service account that executes pipeline workflow steps at runtime.
Description
The pipeline-runner Role (87 lines) grants the identity under which Argo Workflow pods run pipeline steps. Permissions include: secrets (get), configmaps (get/watch/list), PVs/PVCs (all), volume snapshots (create/delete/get), Argo workflows and workflowtaskresults, pods/exec/logs/services (all), deployments/replicasets (all), all Kubeflow resources, batch jobs (all), and Seldon deployments (all).
Usage
Applied during KFP deployment. The pipeline-runner ServiceAccount is bound to this role and used by Argo to execute pipeline step pods.
Code Reference
Source Location
- Repository: Kubeflow_Pipelines
- File: manifests/kustomize/base/pipeline/pipeline-runner-role.yaml
- Lines: 1-87
Signature
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pipeline-runner
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [get]
- apiGroups: [""]
resources: [configmaps]
verbs: [get, watch, list]
- apiGroups: [""]
resources: [persistentvolumes, persistentvolumeclaims]
verbs: ["*"]
- apiGroups: [argoproj.io]
resources: [workflows, workflowtaskresults]
verbs: ["*"]
# ... additional rules for pods, deployments, kubeflow resources, etc.
Import
kubectl apply -f pipeline-runner-role.yaml
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| Kubernetes namespace | namespace | Yes | Target namespace where pipelines execute |
Outputs
| Name | Type | Description |
|---|---|---|
| RBAC Role | Role | Grants pipeline step pods access to required K8s resources |
Usage Examples
Verifying Pipeline Runner Permissions
# Check the role exists
kubectl get role pipeline-runner
# Verify role binding
kubectl get rolebinding -o wide | grep pipeline-runner
# Test pipeline runner can access PVCs
kubectl auth can-i create persistentvolumeclaims \
--as=system:serviceaccount:kubeflow:pipeline-runner
Related Pages
Page Connections
Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment