Hi Flink Community, First of all, I would like to express my great thankfulness about the flink operator on Kubernetes. It is a new door to help us deploy the Flink application on top of the K8s.
Our team is currently doing the Application cluster deployment through the operator. We have set up the service account as "flink-operator" and "flink", with the roles and rolebindings. However, after the job yaml is submitted to the api-server and the pod is created, the resources manager cannot be created because this error log: ==== 2022-05-17 02:37:22,293 WARN io.fabric8.kubernetes.client.Config [] - Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. 2022-05-17 02:37:22,308 WARN io.fabric8.kubernetes.client.Config [] - Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring. 2022-05-17 02:37:25,699 INFO org.apache.flink.runtime.jobmaster.JobMaster [] - Connecting to ResourceManager akka.tcp://fl...@flink-application-job.bip :6123/user/rpc/resourcemanager_*(00000000000000000000000000000000) 2022-05-17 02:37:26,094 WARN io.fabric8.kubernetes.client.dsl.internal.WatcherWebSocketListener [] - Exec Failure: HTTP 403, Status: 403 - pods is forbidden: User "system:anonymous" cannot watch resource "pods" in API group "" in the namespace "xxxxxxxxx" ==== It looks like the jobmanager pod cannot fetch the "flink" service account token and cannot communicate with api-server, though I have created the "flink" service account and set up "serviceAccount" config in the job template. ==== apiVersion: flink.apache.org/v1beta1 kind: FlinkDeployment metadata: name: flink-application-job spec: image: flink:1.15.0-scala_2.12-java11 flinkVersion: v1_15 flinkConfiguration: taskmanager.numberOfTaskSlots: "2" jobmanager.rpc.address: flink-jobmanager serviceAccount: flink ==== The below shows the volumeMounts in the pod. The service account is mounted through the "bound service account token volume". Is it desirable? ==== Mounts: /opt/flink/conf from flink-config-volume (rw) /opt/flink/log from flink-logs (rw) /opt/flink/pod-template from pod-template-volume (rw) /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-f69zl (ro) ==== This issue has blocked our progress for several days so if there are any possible thoughts, we really appreciate it! Thank you very much and I'm looking forward to your reply. Best, *Xiao Ma* *Geotab* Software Developer, Data Engineering | B.Sc, M.Sc Direct +1 (416) 836 - 3541 Toll-free +1 (877) 436 - 8221 Visit www.geotab.com Twitter <https://twitter.com/geotab> | Facebook <https://www.facebook.com/Geotab> | YouTube <https://www.youtube.com/user/MyGeotab> | LinkedIn <https://www.linkedin.com/company/geotab/>