Hi, Yang!

When you say the operator uses native k8s integration by default, does that
mean there is a way to change that to use standalone K8s? I haven't seen
anything about that in the docs, besides a mention that standalone support
is coming in version 1.2 of the operator.

Thanks,

Javier


On Thu, Sep 8, 2022, 22:50 Yang Wang <danrtsey...@gmail.com> wrote:

> Since the flink-kubernetes-operator is using native K8s integration[1] by
> default, you need to give the permissions of pod and deployment as well as
> ConfigMap.
>
> You could find more information about the RBAC here[2].
>
> [1].
> https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/
> [2].
> https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-release-1.1/docs/operations/rbac/
>
> Best,
> Yang
>
> Javier Vegas <jve...@strava.com> 于2022年9月7日周三 04:17写道:
>
>> I am migrating a HA standalone Kubernetes app to use the Flink operator.
>> The HA store is S3 using IRSA so the app needs to run with a serviceAccount
>> that is authorized to access S3. In standalone mode HA worked once I gave
>> the account permissions to edit configMaps. But when trying the operator
>> with the custom serviceAccount, I am getting this error:
>>
>> io.fabric8.kubernetes.client.KubernetesClientException: Failure
>> executing: GET at:
>> https://172.20.0.1/apis/apps/v1/namespaces/MYNAMESPACE/deployments/MYAPPNAME.
>> Message: Forbidden!Configured service account doesn't have access. Service
>> account may have been revoked. deployments.apps "MYAPPNAME" is forbidden:
>> User "system:serviceaccount:MYNAMESPACE:MYSERVICEACCOUNT" cannot get
>> resource "deployments" in API group "apps" in the namespace "MYNAMESPACE".
>>
>>
>> Does the serviceAccount needs additional permissions beside configMap
>> edit to be able to run HA using the operator?
>>
>> Thanks,
>>
>> Javier Vegas
>>
>

Reply via email to