wangyang0918 commented on pull request #35:
URL:
https://github.com/apache/flink-kubernetes-operator/pull/35#issuecomment-1058085167
I think we might have following issues what cause the k8s operator could not
work.
* FLINK-26436, we are watching the deployment in all namespaces
* The default Flink rest service exposed type is `LoadBalancer`. So k8s
operator need the permissions to list nodes. It has
been changed to `ClusterIP` in FLINK-24503.
```
2022-03-03 13:35:36,774 ERROR
io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher [] -
Error during event processing ExecutionScope{ resource id:
CustomResourceID{name='flink-example-statemachine', namespace='flink-test'},
version: 2490360} failed.
org.apache.flink.kubernetes.operator.exception.ReconciliationException:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET
at: https://10.96.0.1/api/v1/nodes. Message: Forbidden!Configured service
account doesn't have access. Service account may have been revoked. nodes is
forbidden: User "system:serviceaccount:default:flink-operator" cannot list
resource "nodes" in API group "" at the cluster scope.
at
org.apache.flink.kubernetes.operator.controller.FlinkDeploymentController.reconcile(FlinkDeploymentController.java:137)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
org.apache.flink.kubernetes.operator.controller.FlinkDeploymentController.reconcile(FlinkDeploymentController.java:57)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.Controller$2.execute(Controller.java:101)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.Controller$2.execute(Controller.java:76)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.api.monitoring.Metrics.timeControllerExecution(Metrics.java:34)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.Controller.reconcile(Controller.java:75)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.reconcileExecution(ReconciliationDispatcher.java:151)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleReconcile(ReconciliationDispatcher.java:117)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleDispatch(ReconciliationDispatcher.java:82)
~[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.event.ReconciliationDispatcher.handleExecution(ReconciliationDispatcher.java:51)
[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at
io.javaoperatorsdk.operator.processing.event.EventProcessor$ControllerExecution.run(EventProcessor.java:385)
[flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar:1.0-SNAPSHOT]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source) [?:?]
at java.lang.Thread.run(Unknown Source) [?:?]
```
* We might do not need to create the service account in watchNamespaces
unless we want the `flink-operator` service account be used by flink
jobmanager/taskmanager.
After more consideration, I think we might need to separate the RBAC for
flink-kubernetes-operator and flink jobmanager/taskmanager. The later should
have less permissions, like this
https://github.com/wangyang0918/flink-native-k8s-operator/blob/master/deploy/flink-rbac.yaml.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
