updated the redundant exit code extraction in checkpodshealth and health_role in create_engine

senseipri · senseipri · commit c8e7d99ea8a8 · 2026-05-13T00:06:37.000+05:30
diff --git a/areal/infra/scheduler/kubernetes.py b/areal/infra/scheduler/kubernetes.py
@@ -585,26 +585,20 @@ def _check_pods_health(self, role: str) -> None:
                         -1,
                         f"Pod {name} {waiting_reason}\n{self._pod_diagnostics(role)}",
                     )
-                exit_code = int(
-                    _obj_get(
-                        terminated,
-                        "exit_code",
-                        _obj_get(terminated, "exitCode", 0),
-                    )
-                )
-                if terminated and exit_code != 0:
+                if terminated:
                     exit_code = int(
                         _obj_get(
                             terminated,
                             "exit_code",
                             _obj_get(terminated, "exitCode", -1),
                         )
                     )
-                    raise WorkerFailedError(
-                        f"{role}/*",
-                        exit_code,
-                        f"Pod {name} exited\n{self._pod_diagnostics(role)}",
-                    )
+                    if exit_code != 0:
+                        raise WorkerFailedError(
+                            f"{role}/*",
+                            exit_code,
+                            f"Pod {name} exited\n{self._pod_diagnostics(role)}",
+                        )
             if phase == "Failed":
                 raise WorkerFailedError(
                     f"{role}/*",
@@ -1116,6 +1110,7 @@ async def create_engine(
         port = int(wi.worker.worker_ports[0])
         url = f"http://{format_hostport(wi.worker.ip, port)}/create_engine"
 
+        self._check_pods_health(health_role)
         try:
             timeout = aiohttp.ClientTimeout(total=300.0)
             async with aiohttp.ClientSession(
diff --git a/docs/en/tutorial/kubernetes.md b/docs/en/tutorial/kubernetes.md
@@ -40,6 +40,47 @@ schedulers:
 - Provide a service account with permission to create, patch, list, and delete
   `Services`, `StatefulSets`, `Pods`, pod logs, and pod events in the target namespace.
 
+## RBAC Permissions
+
+If you are running the AReaL controller with a service account other than a cluster admin, you must provide a `Role` (or `ClusterRole`) with sufficient permissions.
+
+Below is a minimal `Role` and `RoleBinding` example for a namespace named `areal`:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: areal
+  name: areal-scheduler
+rules:
+- apiGroups: [""]
+  resources: ["services", "pods"]
+  verbs: ["get", "list", "watch", "create", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["statefulsets"]
+  verbs: ["get", "list", "watch", "create", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: areal
+  name: areal-scheduler-binding
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: areal
+roleRef:
+  kind: Role
+  name: areal-scheduler
+  apiGroup: rbac.authorization.k8s.io
+```
+
 ## Minimal Launch
 
 Use the normal training entrypoint and override the scheduler type:
diff --git a/docs/zh/tutorial/kubernetes.md b/docs/zh/tutorial/kubernetes.md
@@ -37,6 +37,47 @@ worker 的发现与 RPC 流程和 local / Slurm scheduler 保持一致：
 - service account 需要有创建、更新、列出和删除 `Services`、`StatefulSets`、
   `Pods`，以及读取 pod logs/events 的权限。
 
+## RBAC 权限
+
+如果你在一个没有集群管理员权限的 service account 下运行 AReaL controller，你需要为其配置一个具有足够权限的 `Role`（或 `ClusterRole`）。
+
+以下是在名为 `areal` 的 namespace 下配置 `Role` 和 `RoleBinding` 的示例：
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: areal
+  name: areal-scheduler
+rules:
+- apiGroups: [""]
+  resources: ["services", "pods"]
+  verbs: ["get", "list", "watch", "create", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["statefulsets"]
+  verbs: ["get", "list", "watch", "create", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: areal
+  name: areal-scheduler-binding
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: areal
+roleRef:
+  kind: Role
+  name: areal-scheduler
+  apiGroup: rbac.authorization.k8s.io
+```
+
 ## 最小启动命令
 
 使用正常的训练入口，并覆盖 scheduler 类型：
