I just ran into this same issue recently and it turns out that the
permissions given to the default ServiceAccount in Kubernetes Role-based
access control (RBAC) are not high enough to allow for the
TcpDiscoveryKubernetesIpFinder to talk to the kubernetes service at
"https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/default/endpoints/ignite";
which is why you get a 403 unauthorized exception. I found a work around in
the link below which grants the default ServiceAccount a ClusterRole of
"cluster-admin" in K8, then the Ignite PODs can communicate.

https://github.com/fluent/fluentd-kubernetes-daemonset/issues/14
<https://github.com/fluent/fluentd-kubernetes-daemonset/issues/14>   

My question is, does the community have any documentation or knowledge in
the Ignite space for what permissions are required in Kubernetes in order
for an Ignite cluster to operate properly? It seems like granting
"cluster-admin" could be a bit risky for a production solution, especially
if you plan to have many Ignite clusters, each with their own K8 namespace
for example. I read through the Kubernetes Deployment documentation for
Ignite and did not see any reference to RBAC which was implemented in K8
v1.8. I suspect that maybe the Ignite documentation was written prior to
this release?

Thanks in advance for light you could shed on the subject.

Kubernetes v1.9.2
Ignite v2.3.0




--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Reply via email to