You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/04/27 13:05:28 UTC

[GitHub] [flink-kubernetes-operator] mnuttall opened a new pull request, #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

mnuttall opened a new pull request, #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186

   As per https://issues.apache.org/jira/browse/FLINK-27425 this resolves the error, 
   
   ```
   [ERROR] Could not execute SQL statement. Reason:
   io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/api/v1/namespaces/default/services/basic-example-rest. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. services "basic-example-rest" is forbidden: User "system:serviceaccount:default:flink" cannot get resource "services" in API group "" in the namespace "default".
   ```
   
   seen when running a Flink job that uses the Kafka connector against a default install. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] mnuttall commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

mnuttall commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1113479661

   Update - yes, I've connected an sql-client to a session cluster and successfully run jobs against it, using Kafka. 
   
   ```
   apiVersion: flink.apache.org/v1alpha1
   kind: FlinkDeployment
   metadata:
     namespace: default
     name: flink-test
   spec:
     image: flink:1.14.4-scala_2.11-java11
     flinkVersion: v1_14
     flinkConfiguration:
       taskmanager.numberOfTaskSlots: "2"
     serviceAccount: flink
     jobManager:
       replicas: 1
       resource:
         memory: "2048m"
         cpu: 1
     taskManager:
       resource:
         memory: "2048m"
         cpu: 1
   ```
   
   I'm going to close this PR and issue since it's not enough to get the sql-client _within_ the session cluster to work, and not required for application clusters. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] morhidi commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

morhidi commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111906330

   Can you please attach the stack trace? I don't what is trying to access the `basic-example-rest` service


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] Aitozi commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

Aitozi commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111974768

   The directly submitted SQL scripts will not managed by the operator.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] mnuttall commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

mnuttall commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111993689

   @Aitozi thanks for the clarification - that's fine, if we want operator-managed jobs we'll use `FlinkDeployments`. Currently we're planning to need both managed and unmanaged jobs. 
   
   @morhidi I've not tried connecting a remote sql-client to my session cluster - though I will have to get that working.  I'll get back to you : ) 
   
   Thank you both for getting back to me so quickly. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] morhidi commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

morhidi commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111968149

   Thanks for the clarification @mnuttall I guess we haven't tested this exact scenario yet. @Aitozi do you submit SQL scripts already against a session cluster managed by the operator?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] morhidi commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

morhidi commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111970310

   Running the sql client from your host against an exposed session cluster should work I guess. Is that something you've tried already?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] mnuttall commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

mnuttall commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1111955950

   Hi @morhidi, after further testing, I only see this problem in a very limited situation:
   
   - create a session cluster using a FlinkDeployment with no `spec.job` stanza
   - exec into the cluster pod
   - run bin/sql-client.sh
   - create a TABLE backed by a kafka topic and execute a SELECT against it
   
   At this point, the RBAC error shown above appears inline within the sql-client, but no exceptions appear either within the sql-client or the pod logs.
   
   However, the Role does not need to be changed in order for the same to work on an application cluster with the SQL submitted via the Table API.
   
   Should it be possible to exec into a session cluster's job manager and run and submit jobs via the sql-client? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] Aitozi commented on pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

Aitozi commented on PR #186:
URL: https://github.com/apache/flink-kubernetes-operator/pull/186#issuecomment-1112092484

   @mnuttall I think what you need is the ability to submit SQL job to the session cluster, Right ? If yes, there is an ongoing [ticket](https://issues.apache.org/jira/browse/FLINK-27009) tracking this now , you can take a look there.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] mnuttall closed pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka

Posted by GitBox <gi...@apache.org>.

mnuttall closed pull request #186: [FLINK-27425] Default job service account needs access to services to work with Kafka
URL: https://github.com/apache/flink-kubernetes-operator/pull/186


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org