Re: serviceAccount permissions issue for high availability in operator 1.1
The standalone mode will be supported in the release-1.2, which is expected to be released at the beginning of October. Best, Yang Javier Vegas 于2022年9月12日周一 04:52写道: > Hi, Yang! > > When you say the operator uses native k8s integration by default, does > that mean there is a way to change that to use standalone K8s? I haven't > seen anything about that in the docs, besides a mention that standalone > support is coming in version 1.2 of the operator. > > Thanks, > > Javier > > > On Thu, Sep 8, 2022, 22:50 Yang Wang wrote: > >> Since the flink-kubernetes-operator is using native K8s integration[1] by >> default, you need to give the permissions of pod and deployment as well as >> ConfigMap. >> >> You could find more information about the RBAC here[2]. >> >> [1]. >> https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/ >> [2]. >> https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/ >> >> Best, >> Yang >> >> Javier Vegas 于2022年9月7日周三 04:17写道: >> >>> I am migrating a HA standalone Kubernetes app to use the Flink operator. >>> The HA store is S3 using IRSA so the app needs to run with a serviceAccount >>> that is authorized to access S3. In standalone mode HA worked once I gave >>> the account permissions to edit configMaps. But when trying the operator >>> with the custom serviceAccount, I am getting this error: >>> >>> io.fabric8.kubernetes.client.KubernetesClientException: Failure >>> executing: GET at: >>> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. >>> Message: Forbidden!Configured service account doesn't have access. Service >>> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: >>> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get >>> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". >>> >>> >>> Does the serviceAccount needs additional permissions beside configMap >>> edit to be able to run HA using the operator? >>> >>> Thanks, >>> >>> Javier Vegas >>> >>
Re: serviceAccount permissions issue for high availability in operator 1.1
Hi, Yang! When you say the operator uses native k8s integration by default, does that mean there is a way to change that to use standalone K8s? I haven't seen anything about that in the docs, besides a mention that standalone support is coming in version 1.2 of the operator. Thanks, Javier On Thu, Sep 8, 2022, 22:50 Yang Wang wrote: > Since the flink-kubernetes-operator is using native K8s integration[1] by > default, you need to give the permissions of pod and deployment as well as > ConfigMap. > > You could find more information about the RBAC here[2]. > > [1]. > https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/ > [2]. > https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/ > > Best, > Yang > > Javier Vegas 于2022年9月7日周三 04:17写道: > >> I am migrating a HA standalone Kubernetes app to use the Flink operator. >> The HA store is S3 using IRSA so the app needs to run with a serviceAccount >> that is authorized to access S3. In standalone mode HA worked once I gave >> the account permissions to edit configMaps. But when trying the operator >> with the custom serviceAccount, I am getting this error: >> >> io.fabric8.kubernetes.client.KubernetesClientException: Failure >> executing: GET at: >> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. >> Message: Forbidden!Configured service account doesn't have access. Service >> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: >> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get >> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". >> >> >> Does the serviceAccount needs additional permissions beside configMap >> edit to be able to run HA using the operator? >> >> Thanks, >> >> Javier Vegas >> >
Re: serviceAccount permissions issue for high availability in operator 1.1
Since the flink-kubernetes-operator is using native K8s integration[1] by default, you need to give the permissions of pod and deployment as well as ConfigMap. You could find more information about the RBAC here[2]. [1]. https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/ [2]. https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/ Best, Yang Javier Vegas 于2022年9月7日周三 04:17写道: > I am migrating a HA standalone Kubernetes app to use the Flink operator. > The HA store is S3 using IRSA so the app needs to run with a serviceAccount > that is authorized to access S3. In standalone mode HA worked once I gave > the account permissions to edit configMaps. But when trying the operator > with the custom serviceAccount, I am getting this error: > > io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: > GET at: > https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. > Message: Forbidden!Configured service account doesn't have access. Service > account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: > User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get > resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". > > > Does the serviceAccount needs additional permissions beside configMap edit > to be able to run HA using the operator? > > Thanks, > > Javier Vegas >
serviceAccount permissions issue for high availability in operator 1.1
I am migrating a HA standalone Kubernetes app to use the Flink operator. The HA store is S3 using IRSA so the app needs to run with a serviceAccount that is authorized to access S3. In standalone mode HA worked once I gave the account permissions to edit configMaps. But when trying the operator with the custom serviceAccount, I am getting this error: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". Does the serviceAccount needs additional permissions beside configMap edit to be able to run HA using the operator? Thanks, Javier Vegas