Ignite on AKS and RBAC issue

steve.hostettler Fri, 10 Jul 2020 07:58:55 -0700

Hello,

I  am deploying an embeded version of ignite on AKS and I am getting this
error:
Caused by: java.io.IOException: Server returned HTTP response code: 403 for
URL:
https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/default/endpoints/processing-engine-pe-v1-ignite
        at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
        at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)



That sounds like a problem with the RBAC to me but I cannot nail it down.
So let me give my current configuration:

NAME                                              READY   STATUS    RESTARTS  
AGE
processing-engine-pe-v1.master-69668fcb5b-zm7m8   1/1     Running   0         
9m6s
processing-engine-pe-v1.worker-7598949c5d-pkbfg   1/1     Running   0         
9m6s

As you can see 2 pods on the default namespace

So the configuration  is
    <bean id="tcpDiscoveryKubernetesIpFinder"
class="org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder">
        <property name="namespace" value="default" />
        <property name="serviceName" value="processing-engine-pe-v1-ignite"
/>
    </bean>

The service is there
kubectl describe  svc processing-engine-pe-v1-ignite
Name:              processing-engine-pe-v1-ignite
Namespace:         default
Labels:            app.kubernetes.io/managed-by=Helm
Annotations:       meta.helm.sh/release-name: pe-v1
                   meta.helm.sh/release-namespace: default
Selector:          type=processing-engine-pe-v1.node
Type:              ClusterIP
IP:                None
Port:              service-discovery  47500/TCP
TargetPort:        47500/TCP
Endpoints:         10.244.0.31:47500,10.244.1.28:47500
Session Affinity:  None
Events:            <none>

The service account
kubectl describe serviceaccount ignite
Name:                ignite
Namespace:           default
Labels:              app.kubernetes.io/managed-by=Helm
Annotations:         meta.helm.sh/release-name: pe-v1
                     meta.helm.sh/release-namespace: default
Image pull secrets:  <none>
Mountable secrets:   **********
Tokens:              **********
Events:              <none>


The role
kubectl describe clusterrole ignite
Name:         ignite
Labels:       app.kubernetes.io/managed-by=Helm
              release=pe-v1
Annotations:  meta.helm.sh/release-name: pe-v1
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  endpoints  []                 []              [get list watch]
  pods       []                 []              [get list watch]

The role binding
kubectl describe clusterrolebinding ignite
Name:         ignite
Labels:       app.kubernetes.io/managed-by=Helm
              release=pe-v1
Annotations:  meta.helm.sh/release-name: pe-v1
              meta.helm.sh/release-namespace: default
Role:
  Kind:  ClusterRole
  Name:  ignite
Subjects:
  Kind            Name    Namespace
  ----            ----    ---------
  ServiceAccount  ignite  default


Any idea of what I am missing?



--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/

Ignite on AKS and RBAC issue

Reply via email to