From 962e3697fa912489f6cc4b118337ff9d6abeca5e Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Fri, 27 Feb 2026 10:52:55 -0800 Subject: [PATCH 1/3] fix 1 --- code-interpreter/app/services/executor_kubernetes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index 0f611cb..f6cc996 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -83,7 +83,7 @@ def __init__(self) -> None: def check_health(self) -> HealthCheck: """Verify Kubernetes API is reachable and the namespace is accessible.""" try: - self.v1.read_namespace(name=self.namespace) + self.v1.list_namespaced_pod(namespace=self.namespace, limit=1) except ApiException as e: return HealthCheck( status="error", From c50c2f8c097164da38f703d212f13dd8db8f24b1 Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Fri, 27 Feb 2026 10:59:47 -0800 Subject: [PATCH 2/3] fix health issue --- .../app/services/executor_kubernetes.py | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index f6cc996..1634b95 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -81,9 +81,30 @@ def __init__(self) -> None: self.service_account = KUBERNETES_EXECUTOR_SERVICE_ACCOUNT def check_health(self) -> HealthCheck: - """Verify Kubernetes API is reachable and the namespace is accessible.""" + """Verify Kubernetes API is reachable and we can create pods in the namespace.""" try: - self.v1.list_namespaced_pod(namespace=self.namespace, limit=1) + auth_api = client.AuthorizationV1Api() + review = auth_api.create_self_subject_access_review( + body=client.V1SelfSubjectAccessReview( + spec=client.V1SelfSubjectAccessReviewSpec( + resource_attributes=client.V1ResourceAttributes( + namespace=self.namespace, + verb="create", + resource="pods", + ) + ) + ) + ) + if not review.status.allowed: + reason = review.status.reason or "no reason provided" + logger.warning( + f"Health check failed: cannot create pods in namespace={self.namespace} " + f"(reason={reason})" + ) + return HealthCheck( + status="error", + message=f"Service account lacks permission to create pods in namespace={self.namespace}", + ) except ApiException as e: return HealthCheck( status="error", From be36d9c2a9bc3c0ae758a90334f78f55dbbac63e Mon Sep 17 00:00:00 2001 From: Dane Urban Date: Fri, 27 Feb 2026 15:51:11 -0800 Subject: [PATCH 3/3] . --- code-interpreter/app/services/executor_kubernetes.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/code-interpreter/app/services/executor_kubernetes.py b/code-interpreter/app/services/executor_kubernetes.py index 1634b95..e57aa0e 100644 --- a/code-interpreter/app/services/executor_kubernetes.py +++ b/code-interpreter/app/services/executor_kubernetes.py @@ -103,7 +103,10 @@ def check_health(self) -> HealthCheck: ) return HealthCheck( status="error", - message=f"Service account lacks permission to create pods in namespace={self.namespace}", + message=( + "Service account lacks permission to create " + f"pods in namespace={self.namespace}" + ), ) except ApiException as e: return HealthCheck(