You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user-zh@flink.apache.org by a5...@163.com on 2020/06/10 06:25:47 UTC
native kubernetes ClusterRoleBinding 过期问题咨询
hi all
使用的版本是flink 1.10.1 ,kubernetes 版本 1.17
构建了一个session集群,也有正常赋权,可以正常提交作业并运行作业。隔一段时间后,重新提交作业会出现无法创建新的TM的现象。需要重新执行kubectl apply -f rbac.yaml 将账号和角色进行绑定后才可以正常创建TM。
对应的rbac.yaml如下
apiVersion: v1
kind: ServiceAccount
metadata:
name: flink
namespace: flink-collect-metric
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: flink-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- kind: ServiceAccount
name: flink
namespace: flink-collect-metric
报错信息如下:
2020-06-10 14:09:14,664 ERROR org.apache.flink.kubernetes.KubernetesResourceManager - Could not start TaskManager in pod flink-collect-metric-taskmanager-1-509.
java.util.concurrent.CompletionException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.96.0.1/api/v1/namespaces/flink-collect-metric/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:flink-collect-metric:flink" cannot create resource "pods" in API group "" in the namespace "flink-collect-metric".
at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1643)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.96.0.1/api/v1/namespaces/flink-collect-metric/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:flink-collect-metric:flink" cannot create resource "pods" in API group "" in the namespace "flink-collect-metric".
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:510)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:447)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:413)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:372)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:241)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:798)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:328)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:324)
at org.apache.flink.kubernetes.kubeclient.Fabric8FlinkKubeClient.lambda$createTaskManagerPod$0(Fabric8FlinkKubeClient.java:184)
at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1640)
... 3 more
Looking forward to your reply and help.
Best
| |
a511955993
|
|
邮箱:a511955993@163.com
|
签名由 网易邮箱大师 定制