Stand alone K8s HA mode with Static Tokens Used by Service Accounts

[Berkay Polat via user <us...@flink.apache.org>]

Hi,

Our team has been using flink 1.15 and we have a stand alone K8s flink
setup that uses K8s HA services for its HA mode. Recently, our organization
is in the works of updating their EKS clusters' Kubernetes versions to 1.21
or later. We received a request from our support team that the service
accounts associated with our stand alone flink cluster have been using
static tokens, which is not permitted for newer K8s versions. Instead, they
requested us to switch to a refresh token approach (
https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#identify-pods-using-stale-tokens
).

From what I understand, in flink 1.15, HA mode is using version 5.5.0 of
io.fabric8's kubernetes client and it seems that it is compatible with K8s
1.21.1 and later (
https://github.com/fabric8io/kubernetes-client#compatibility-matrix) so I
am not sure what the underlying limitation/issue is here.

The AWS doc link I referred to earlier recommends upgrading versions for
Kubernetes Client SDKs but it refers to io.kubernetes's client SDKs, not
io.fabric8.

Could someone shed some light on it? Would it be worth it to request a
change to upgrade the io.fabric8 kubernetes client version to a newer
version?

Thanks,
-- 
*BERKAY POLAT*
Software Engineer SMTS | MuleSoft at Salesforce
Mobile: 443-710-7021

<https://smart.salesforce.com/sig/bpolat//us_mb/default/link.html>

Re: Stand alone K8s HA mode with Static Tokens Used by Service Accounts

[Yang Wang <da...@gmail.com>]

IIUC, the fabric8 Kubernetes-client 5.5.0 should already support to reload
the latest kube config if received 401 error.
Refer to the following PR[1] for more information.

Please share your feedback here if it still could not work.

[1]. https://github.com/fabric8io/kubernetes-client/pull/2731

Best,
Yang

Berkay Polat via user <us...@flink.apache.org> 于2022年11月23日周三 01:57写道：

> Hi team,
>
> Bumping this up again, from the AWS docs, the suggested approach is to
> simply upgrade the K8s java SDK client (
> https://github.com/kubernetes-client/java/) being used. However, in
> Flink's case with the io.fabric8 K8s client, I am not sure how to handle
> it. Any help and guidance would be much appreciated.
>
> Thanks,
>
> ---------- Forwarded message ---------
> From: Berkay Polat <bp...@salesforce.com>
> Date: Thu, Nov 17, 2022 at 12:36 PM
> Subject: Stand alone K8s HA mode with Static Tokens Used by Service
> Accounts
> To: <us...@flink.apache.org>
>
>
> Hi,
>
> Our team has been using flink 1.15 and we have a stand alone K8s flink
> setup that uses K8s HA services for its HA mode. Recently, our organization
> is in the works of updating their EKS clusters' Kubernetes versions to 1.21
> or later. We received a request from our support team that the service
> accounts associated with our stand alone flink cluster have been using
> static tokens, which is not permitted for newer K8s versions. Instead, they
> requested us to switch to a refresh token approach (
> https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#identify-pods-using-stale-tokens
> ).
>
> From what I understand, in flink 1.15, HA mode is using version 5.5.0 of
> io.fabric8's kubernetes client and it seems that it is compatible with K8s
> 1.21.1 and later (
> https://github.com/fabric8io/kubernetes-client#compatibility-matrix) so I
> am not sure what the underlying limitation/issue is here.
>
> The AWS doc link I referred to earlier recommends upgrading versions for
> Kubernetes Client SDKs but it refers to io.kubernetes's client SDKs, not
> io.fabric8.
>
> Could someone shed some light on it? Would it be worth it to request a
> change to upgrade the io.fabric8 kubernetes client version to a newer
> version?
>
> Thanks,
> --
> *BERKAY POLAT*
> Software Engineer SMTS | MuleSoft at Salesforce
> Mobile: 443-710-7021
>
> <https://smart.salesforce.com/sig/bpolat//us_mb/default/link.html>
>
>
> --
> *BERKAY POLAT*
> Software Engineer SMTS | MuleSoft at Salesforce
> Mobile: 443-710-7021
>

Fwd: Stand alone K8s HA mode with Static Tokens Used by Service Accounts

[Berkay Polat via user <us...@flink.apache.org>]

Hi team,

Bumping this up again, from the AWS docs, the suggested approach is to
simply upgrade the K8s java SDK client (
https://github.com/kubernetes-client/java/) being used. However, in Flink's
case with the io.fabric8 K8s client, I am not sure how to handle it. Any
help and guidance would be much appreciated.

Thanks,

---------- Forwarded message ---------
From: Berkay Polat <bp...@salesforce.com>
Date: Thu, Nov 17, 2022 at 12:36 PM
Subject: Stand alone K8s HA mode with Static Tokens Used by Service Accounts
To: <us...@flink.apache.org>


Hi,

Our team has been using flink 1.15 and we have a stand alone K8s flink
setup that uses K8s HA services for its HA mode. Recently, our organization
is in the works of updating their EKS clusters' Kubernetes versions to 1.21
or later. We received a request from our support team that the service
accounts associated with our stand alone flink cluster have been using
static tokens, which is not permitted for newer K8s versions. Instead, they
requested us to switch to a refresh token approach (
https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#identify-pods-using-stale-tokens
).

From what I understand, in flink 1.15, HA mode is using version 5.5.0 of
io.fabric8's kubernetes client and it seems that it is compatible with K8s
1.21.1 and later (
https://github.com/fabric8io/kubernetes-client#compatibility-matrix) so I
am not sure what the underlying limitation/issue is here.

The AWS doc link I referred to earlier recommends upgrading versions for
Kubernetes Client SDKs but it refers to io.kubernetes's client SDKs, not
io.fabric8.

Could someone shed some light on it? Would it be worth it to request a
change to upgrade the io.fabric8 kubernetes client version to a newer
version?

Thanks,
-- 
*BERKAY POLAT*
Software Engineer SMTS | MuleSoft at Salesforce
Mobile: 443-710-7021

<https://smart.salesforce.com/sig/bpolat//us_mb/default/link.html>


-- 
*BERKAY POLAT*
Software Engineer SMTS | MuleSoft at Salesforce
Mobile: 443-710-7021