Hi Flink Community,
First of all, I would like to express my great thankfulness about the flink
operator on Kubernetes. It is a new door to help us deploy the Flink
application on top of the K8s.
Our team is currently doing the Application cluster deployment through the
operator. We have set up the service account as "flink-operator" and
"flink", with the roles and rolebindings. However, after the job yaml is
submitted to the api-server and the pod is created, the resources manager
cannot be created because this error log:
====
2022-05-17 02:37:22,293 WARN io.fabric8.kubernetes.client.Config
[] - Error reading service account token from:
[/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.
2022-05-17 02:37:22,308 WARN io.fabric8.kubernetes.client.Config
[] - Error reading service account token from:
[/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.
2022-05-17 02:37:25,699 INFO org.apache.flink.runtime.jobmaster.JobMaster
[] - Connecting to ResourceManager
akka.tcp://fl...@flink-application-job.bip
:6123/user/rpc/resourcemanager_*(00000000000000000000000000000000)
2022-05-17 02:37:26,094 WARN
io.fabric8.kubernetes.client.dsl.internal.WatcherWebSocketListener [] -
Exec Failure: HTTP 403, Status: 403 - pods is forbidden: User
"system:anonymous" cannot watch resource "pods" in API group "" in the
namespace "xxxxxxxxx"
====
It looks like the jobmanager pod cannot fetch the "flink" service account
token and cannot communicate with api-server, though I have created the
"flink" service account and set up "serviceAccount" config in the job
template.
====
apiVersion: flink.apache.org/v1beta1
kind: FlinkDeployment
metadata:
name: flink-application-job
spec:
image: flink:1.15.0-scala_2.12-java11
flinkVersion: v1_15
flinkConfiguration:
taskmanager.numberOfTaskSlots: "2"
jobmanager.rpc.address: flink-jobmanager
serviceAccount: flink
====
The below shows the volumeMounts in the pod. The service account is mounted
through the "bound service account token volume". Is it desirable?
====
Mounts:
/opt/flink/conf from flink-config-volume (rw)
/opt/flink/log from flink-logs (rw)
/opt/flink/pod-template from pod-template-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from
kube-api-access-f69zl (ro)
====
This issue has blocked our progress for several days so if there are any
possible thoughts, we really appreciate it!
Thank you very much and I'm looking forward to your reply.
Best,
*Xiao Ma*
*Geotab*
Software Developer, Data Engineering | B.Sc, M.Sc
Direct +1 (416) 836 - 3541
Toll-free +1 (877) 436 - 8221
Visit www.geotab.com
Twitter <https://twitter.com/geotab> | Facebook
<https://www.facebook.com/Geotab> | YouTube
<https://www.youtube.com/user/MyGeotab> | LinkedIn
<https://www.linkedin.com/company/geotab/>
