I just ran into this same issue recently and it turns out that the permissions given to the default ServiceAccount in Kubernetes Role-based access control (RBAC) are not high enough to allow for the TcpDiscoveryKubernetesIpFinder to talk to the kubernetes service at "https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/default/endpoints/ignite" which is why you get a 403 unauthorized exception. I found a work around in the link below which grants the default ServiceAccount a ClusterRole of "cluster-admin" in K8, then the Ignite PODs can communicate.
https://github.com/fluent/fluentd-kubernetes-daemonset/issues/14 <https://github.com/fluent/fluentd-kubernetes-daemonset/issues/14> My question is, does the community have any documentation or knowledge in the Ignite space for what permissions are required in Kubernetes in order for an Ignite cluster to operate properly? It seems like granting "cluster-admin" could be a bit risky for a production solution, especially if you plan to have many Ignite clusters, each with their own K8 namespace for example. I read through the Kubernetes Deployment documentation for Ignite and did not see any reference to RBAC which was implemented in K8 v1.8. I suspect that maybe the Ignite documentation was written prior to this release? Thanks in advance for light you could shed on the subject. Kubernetes v1.9.2 Ignite v2.3.0 -- Sent from: http://apache-ignite-users.70518.x6.nabble.com/