Hi! When not using a cluster-wide installation, Role and RoleBinding resources to be able to interact with Flink resources are only installed in the namespaces listed in the `watchNamespaces` field. If the namespace where the operator is installed is not added to this list, RBAC will be configured in a way that doesn't allow for Flink resources (one of them being FlinkStateSnapshot) to be listed in that namespace. I have overlooked this when implementing this check.
In the next release we should remove this check as it is as I think we can expect that all installations will have the FlinkStateSnapshot CRD. For now, you can fix it by creating a new Role and RoleBinding for the flink-operator ServiceAccount or by editing the flink-operator Role in the namespace where the operator Helm chart was installed, adding this to its rules: - apiGroups: - flink.apache.org resources: - flinkstatesnapshots verbs: - list In simple terms, the method you have linked needs to be able to list the FlinkStateSnapshot resources in the namespace the operator is running in. And by using `watchNamespaces` and installing the operator in a namespace not listed there, the operator won't have access to list these resources. Salva Alcántara <salcantara...@gmail.com> ezt írta (időpont: 2025. márc. 4., K, 9:30): > Hey all! I recently bumped the Flink Kubernetes Operator to v1.10.0 and > one of the things I wanted to check is the usage of the new > FlinkStateSnapshot CRD. I confirmed that the CRD was correctly created in > my cluster, however I'm still seeing these logs: > > ``` > Starting Operator > 2025-03-01T08:31:08.779422Z main ERROR appender CONSOLE has no parameter > that matches element JsonLayout > 2025-03-01T08:31:08.782927Z main ERROR Unable to locate appender > "ConsoleAppender" for logger config "root" > 2025-03-01 08:31:12,885 i.f.k.c.d.i.VersionUsageUtils [WARN ] The client > is using resource type 'flinkstatesnapshots' with unstable version 'v1beta1' > 2025-03-01 08:31:14,180 o.a.f.k.o.c.FlinkConfigManager [WARN ] > FlinkStateSnapshot CRD was not installed, snapshot resources will be > disabled! > ``` > > I think this relates to the RBAC stuff. For what it's worth, the > FlinkStateSnapshot CRD was not installed log message goes away if I switch > to a cluster-wide installaction (which handles RBAC via clusterrole & > clusterrolebinding). However, for a namespaced installation like mine > (using a non-empty array for watchNamespaces) there must be something > wrong, despite RBAC apparently being right, i.e.: > > ``` > kubectl auth can-i list flinkstatesnapshot -n a-watched-namespace > --as=system:serviceaccount:flink-operator:flink-operator > yes > ``` > > The answer is the same for any namespace within watchNamespaces (w.r.t. > flink-operator, which is where I deploy the operator). > > The issue might be in this line: > > - > > https://github.com/apache/flink-kubernetes-operator/blob/9eb3c385b90a5a2f08376720f[…]ache/flink/kubernetes/operator/utils/KubernetesClientUtils.java > > <https://github.com/apache/flink-kubernetes-operator/blob/9eb3c385b90a5a2f08376720f3204d1784981a0c/flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/utils/KubernetesClientUtils.java#L72C31-L72C67> > > which is not passing any special config, maybe the idea was to use > getKubernetesClient instead? Can anyone help troubleshoot the issue? >