Hi, Yang! When you say the operator uses native k8s integration by default, does that mean there is a way to change that to use standalone K8s? I haven't seen anything about that in the docs, besides a mention that standalone support is coming in version 1.2 of the operator.
Thanks, Javier On Thu, Sep 8, 2022, 22:50 Yang Wang <danrtsey...@gmail.com> wrote: > Since the flink-kubernetes-operator is using native K8s integration[1] by > default, you need to give the permissions of pod and deployment as well as > ConfigMap. > > You could find more information about the RBAC here[2]. > > [1]. > https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/ > [2]. > https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/ > > Best, > Yang > > Javier Vegas <jve...@strava.com> 于2022年9月7日周三 04:17写道: > >> I am migrating a HA standalone Kubernetes app to use the Flink operator. >> The HA store is S3 using IRSA so the app needs to run with a serviceAccount >> that is authorized to access S3. In standalone mode HA worked once I gave >> the account permissions to edit configMaps. But when trying the operator >> with the custom serviceAccount, I am getting this error: >> >> io.fabric8.kubernetes.client.KubernetesClientException: Failure >> executing: GET at: >> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME. >> Message: Forbidden!Configured service account doesn't have access. Service >> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden: >> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get >> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE". >> >> >> Does the serviceAccount needs additional permissions beside configMap >> edit to be able to run HA using the operator? >> >> Thanks, >> >> Javier Vegas >> >
