Hey! Sounds like a bug :) Could you please open a jira / PR (in case you fixed this already)?
Thanks Gyula On Mon, 8 May 2023 at 22:20, Andrew Otto <o...@wikimedia.org> wrote: > Hi, > > I'm trying to enable HA for flink-kubernetes-operator > <https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/operations/configuration/#leader-election-and-high-availability> > with Helm. We are using namespaced RBAC via watchedNamespaces. > > I've followed instructions and set > kubernetes.operator.leader-election.enabled and > kubernetes.operator.leader-election.lease-name, and increased replicas to > 2. When I deploy, the second replica comes online, but errors with: > > Exception occurred while acquiring lock 'LeaseLock: flink-operator - > flink-operator-lease (flink-kubernetes-operator-86b888d6b6-8cxjs > Failure executing: GET at: > https://x.x.x.x/apis/coordination.k8s.io/v1/namespaces/flink-operator/leases/flink-operator-lease. > Message: Forbidden!Configured service account doesn't have access. Service > account may have been revoked. leases.coordination.k8s.io > "flink-operator-lease" is forbidden: User > "system:serviceaccount:flink-operator:flink-operator" cannot get resource > "leases" in API group "coordination.k8s.io" in the namespace > "flink-operator". > > Looking at the rbac.yaml helm template > <https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/templates/rbac.yaml>, > it looks like the Role and RoleBindings that grant access to the leases > resource are created for the configured watchNamespaces, but not for the > namespace in which the flink-kubernetes-operator is deployed. I think that > for HA, the flink-kubernetes-operator is going to be asking k8s for Leases > in its own namespace, right? > > Is this a bug, or am I doing something wrong? I'd file a JIRA, but I > betcha I'm just doing something wrong (unless I'm the first person who's > tried to use HA + namespaced RBAC with the helm charts?). > > Thanks! > -Andrew Otto > Wikimedia Foundation > > > > > >
