You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@flink.apache.org by Javier Vegas <jv...@strava.com> on 2022/09/06 20:17:13 UTC
serviceAccount permissions issue for high availability in operator 1.1
I am migrating a HA standalone Kubernetes app to use the Flink operator.
The HA store is S3 using IRSA so the app needs to run with a serviceAccount
that is authorized to access S3. In standalone mode HA worked once I gave
the account permissions to edit configMaps. But when trying the operator
with the custom serviceAccount, I am getting this error:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing:
GET at:
https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME.
Message: Forbidden!Configured service account doesn't have access. Service
account may have been revoked. deployments.apps "MYAPPNAME" is forbidden:
User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get
resource "deployments" in API group "apps" in the namespace "MYNAMESPACE".
Does the serviceAccount needs additional permissions beside configMap edit
to be able to run HA using the operator?
Thanks,
Javier Vegas
Re: serviceAccount permissions issue for high availability in operator 1.1
Posted by Yang Wang <da...@gmail.com>.
The standalone mode will be supported in the release-1.2, which is
expected to be released at the beginning of October.
Best,
Yang
Javier Vegas <jv...@strava.com> 于2022年9月12日周一 04:52写道:
> Hi, Yang!
>
> When you say the operator uses native k8s integration by default, does
> that mean there is a way to change that to use standalone K8s? I haven't
> seen anything about that in the docs, besides a mention that standalone
> support is coming in version 1.2 of the operator.
>
> Thanks,
>
> Javier
>
>
> On Thu, Sep 8, 2022, 22:50 Yang Wang <da...@gmail.com> wrote:
>
>> Since the flink-kubernetes-operator is using native K8s integration[1] by
>> default, you need to give the permissions of pod and deployment as well as
>> ConfigMap.
>>
>> You could find more information about the RBAC here[2].
>>
>> [1].
>> https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/
>> [2].
>> https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/
>>
>> Best,
>> Yang
>>
>> Javier Vegas <jv...@strava.com> 于2022年9月7日周三 04:17写道:
>>
>>> I am migrating a HA standalone Kubernetes app to use the Flink operator.
>>> The HA store is S3 using IRSA so the app needs to run with a serviceAccount
>>> that is authorized to access S3. In standalone mode HA worked once I gave
>>> the account permissions to edit configMaps. But when trying the operator
>>> with the custom serviceAccount, I am getting this error:
>>>
>>> io.fabric8.kubernetes.client.KubernetesClientException: Failure
>>> executing: GET at:
>>> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME.
>>> Message: Forbidden!Configured service account doesn't have access. Service
>>> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden:
>>> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get
>>> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE".
>>>
>>>
>>> Does the serviceAccount needs additional permissions beside configMap
>>> edit to be able to run HA using the operator?
>>>
>>> Thanks,
>>>
>>> Javier Vegas
>>>
>>
Re: serviceAccount permissions issue for high availability in operator 1.1
Posted by Javier Vegas <jv...@strava.com>.
Hi, Yang!
When you say the operator uses native k8s integration by default, does that
mean there is a way to change that to use standalone K8s? I haven't seen
anything about that in the docs, besides a mention that standalone support
is coming in version 1.2 of the operator.
Thanks,
Javier
On Thu, Sep 8, 2022, 22:50 Yang Wang <da...@gmail.com> wrote:
> Since the flink-kubernetes-operator is using native K8s integration[1] by
> default, you need to give the permissions of pod and deployment as well as
> ConfigMap.
>
> You could find more information about the RBAC here[2].
>
> [1].
> https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/
> [2].
> https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/
>
> Best,
> Yang
>
> Javier Vegas <jv...@strava.com> 于2022年9月7日周三 04:17写道:
>
>> I am migrating a HA standalone Kubernetes app to use the Flink operator.
>> The HA store is S3 using IRSA so the app needs to run with a serviceAccount
>> that is authorized to access S3. In standalone mode HA worked once I gave
>> the account permissions to edit configMaps. But when trying the operator
>> with the custom serviceAccount, I am getting this error:
>>
>> io.fabric8.kubernetes.client.KubernetesClientException: Failure
>> executing: GET at:
>> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME.
>> Message: Forbidden!Configured service account doesn't have access. Service
>> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden:
>> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get
>> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE".
>>
>>
>> Does the serviceAccount needs additional permissions beside configMap
>> edit to be able to run HA using the operator?
>>
>> Thanks,
>>
>> Javier Vegas
>>
>
Re: serviceAccount permissions issue for high availability in operator 1.1
Posted by Yang Wang <da...@gmail.com>.
Since the flink-kubernetes-operator is using native K8s integration[1] by
default, you need to give the permissions of pod and deployment as well as
ConfigMap.
You could find more information about the RBAC here[2].
[1].
https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/
[2].
https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/
Best,
Yang
Javier Vegas <jv...@strava.com> 于2022年9月7日周三 04:17写道:
> I am migrating a HA standalone Kubernetes app to use the Flink operator.
> The HA store is S3 using IRSA so the app needs to run with a serviceAccount
> that is authorized to access S3. In standalone mode HA worked once I gave
> the account permissions to edit configMaps. But when trying the operator
> with the custom serviceAccount, I am getting this error:
>
> io.fabric8.kubernetes.client.KubernetesClientException: Failure executing:
> GET at:
> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME.
> Message: Forbidden!Configured service account doesn't have access. Service
> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden:
> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get
> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE".
>
>
> Does the serviceAccount needs additional permissions beside configMap edit
> to be able to run HA using the operator?
>
> Thanks,
>
> Javier Vegas
>