[jira] [Commented] (FLINK-27211) RBAC deployments/finalizers missing for OpenShift Deployment

Wed, 13 Apr 2022 09:03:07 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-27211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521803#comment-17521803
 ] 

James Busche commented on FLINK-27211:
--------------------------------------

Hi [~wangyang0918], [~mbalassi], OpenShift has more security enabled by 
default.  For example, in the security section of this 
[Kubernetes-vs-openshift|https://thechief.io/c/editorial/kubernetes-vs-openshift-what-you-need-know/]
 doc it mentions "OpenShift offers strict security policies and is more 
restrictive than Kubernetes."  So the RBAC permissions needed some additional 
finalizers permissions added in order to be able to launch and later cleanup 
pods that the Flink operator is managing.

> RBAC deployments/finalizers missing for OpenShift Deployment
> ------------------------------------------------------------
>
>                 Key: FLINK-27211
>                 URL: https://issues.apache.org/jira/browse/FLINK-27211
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-0.1.0
>            Reporter: James Busche
>            Assignee: James Busche
>            Priority: Major
>
> On Openshift 4.8 when applying the basic.yaml, we see in the operator logs:
>  
> ??2022-04-12 23:11:56,290 i.j.o.p.e.ReconciliationDispatcher 
> *[ERROR][default/basic-example] Error during event processing ExecutionScope{ 
> resource id*??
> ??*: CustomResourceID\{name='basic-example', namespace='default'}, version: 
> 680939} failed.*??
> ??{*}org.apache.flink.kubernetes.operator.exception.ReconciliationException: 
> org.apache.flink.client.deployment.ClusterDeploymentException: Could not 
> create Kubernetes clus{*}{*}ter "basic-example".{*}??
> ??{*}....{*}{*}{*}??
> ??*Caused by: 
> org.apache.flink.kubernetes.shaded.io.fabric8.kubernetes.client.KubernetesClientException:
>  Failure executing: POST at:* [*https://172.30.0.1/api/v1/namespaces/*]??
> ??{*}default/services. Message: Forbidden!Configured service account doesn't 
> have access. Service account may have been revoked. services "basic-example" 
> is forbidden: cann{*}{*}ot set blockOwnerDeletion if an ownerReference refers 
> to a resource you can't set finalizers on: , <nil>.{*}??
> Manually, this can be fixed by adding to the flink role under apps apiGroups:
>   - deployments/finalizers
>  
> and to add to the flink-operator clusterrole under apps apiGrups:
>   - deployments/finalizers
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to