I am migrating a HA standalone Kubernetes app to use the Flink operator. The HA store is S3 using IRSA so the app needs to run with a serviceAccount that is authorized to access S3. In standalone mode HA worked once I gave the account permissions to edit configMaps. But when trying the operator with the custom serviceAccount, I am getting this error:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". Does the serviceAccount needs additional permissions beside configMap edit to be able to run HA using the operator? Thanks, Javier Vegas
