Since the flink-kubernetes-operator is using native K8s integration[1] by default, you need to give the permissions of pod and deployment as well as ConfigMap.
You could find more information about the RBAC here[2]. [1]. https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/ [2]. https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/ Best, Yang Javier Vegas <jve...@strava.com> 于2022年9月7日周三 04:17写道: > I am migrating a HA standalone Kubernetes app to use the Flink operator. > The HA store is S3 using IRSA so the app needs to run with a serviceAccount > that is authorized to access S3. In standalone mode HA worked once I gave > the account permissions to edit configMaps. But when trying the operator > with the custom serviceAccount, I am getting this error: > > io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: > GET at: > https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. > Message: Forbidden!Configured service account doesn't have access. Service > account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: > User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get > resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". > > > Does the serviceAccount needs additional permissions beside configMap edit > to be able to run HA using the operator? > > Thanks, > > Javier Vegas >
