Hi, I'm trying to enable HA for flink-kubernetes-operator <https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/operations/configuration/#leader-election-and-high-availability> with Helm. We are using namespaced RBAC via watchedNamespaces.
I've followed instructions and set kubernetes.operator.leader-election.enabled and kubernetes.operator.leader-election.lease-name, and increased replicas to 2. When I deploy, the second replica comes online, but errors with: Exception occurred while acquiring lock 'LeaseLock: flink-operator - flink-operator-lease (flink-kubernetes-operator-86b888d6b6-8cxjs Failure executing: GET at: https://x.x.x.x/apis/coordination.k8s.io/v1/namespaces/flink-operator/leases/flink-operator-lease. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. leases.coordination.k8s.io "flink-operator-lease" is forbidden: User "system:serviceaccount:flink-operator:flink-operator" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "flink-operator". Looking at the rbac.yaml helm template <https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/templates/rbac.yaml>, it looks like the Role and RoleBindings that grant access to the leases resource are created for the configured watchNamespaces, but not for the namespace in which the flink-kubernetes-operator is deployed. I think that for HA, the flink-kubernetes-operator is going to be asking k8s for Leases in its own namespace, right? Is this a bug, or am I doing something wrong? I'd file a JIRA, but I betcha I'm just doing something wrong (unless I'm the first person who's tried to use HA + namespaced RBAC with the helm charts?). Thanks! -Andrew Otto Wikimedia Foundation
