jeesmon commented on code in PR #288:
URL:
https://github.com/apache/flink-kubernetes-operator/pull/288#discussion_r911971961
##########
helm/flink-kubernetes-operator/templates/rbac.yaml:
##########
@@ -21,23 +21,14 @@ RBAC rules used to create the operator (cluster)role based
on the scope
*/}}
{{- define "flink-operator.rbacRules" }}
rules:
- - apiGroups:
- - flink-operator
- resources:
- - "*"
- verbs:
- - "*"
- apiGroups:
- ""
resources:
- pods
- services
- - endpoints
- - persistentvolumeclaims
- events
- configmaps
- secrets
- - nodes
Review Comment:
@morhidi You are right, `kubernetes.rest-service.exposed.type: NodePort`
requires `list` permission on `nodes` at the cluster scope.
```
2022-07-01 13:30:20,742 i.j.o.p.e.ReconciliationDispatcher
[ERROR][flink-27975/basic-example] Error during event processing
ExecutionScope{ resource id: ResourceID{name='basic-example',
namespace='flink-27975'}, version: 16843355} failed.
org.apache.flink.kubernetes.operator.exception.ReconciliationException:
org.apache.flink.kubernetes.shaded.io.fabric8.kubernetes.client.KubernetesClientException:
Failure executing: GET at: https://10.96.0.1/api/v1/nodes. Message:
Forbidden!Configured service account doesn't have access. Service account may
have been revoked. nodes is forbidden: User
"system:serviceaccount:flink-27975:flink-operator" cannot list resource "nodes"
in API group "" at the cluster scope.
```
This brings another point that `kubernetes.rest-service.exposed.type:
NodePort` will throw error for namespace scoped operator as it requires `list`
permission at the cluster scope for `nodes`.
I will update the PR with `nodes` rbac and some comments. Thanks for your
pointers.
@gyfora FYI
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
