Open mishra157 opened 3 years ago
btkinghome
commented
3 years ago system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system
it looks like the “seriveaccount” has not be created correctly.
mishra157
commented
3 years ago but are using the default service account. "system:serviceaccount:flink-operator-system:default"
mishra157
commented
3 years ago $ kubectl get sa default -n flink-operator-system -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2021-07-14T06:37:53Z" name: default namespace: flink-operator-system resourceVersion: "171186948" selfLink: /api/v1/namespaces/flink-operator-system/serviceaccounts/default uid: fb6be38f-2a92-4d90-a6bc-587f6230b488 secrets:
we are using the below command to install
helm3 install ddp-faas flink-operator-repo/flink-operator --set operatorImage.name=gcr.io/flink-operator/flink-operator:latest -n sumit-test
mishra157
commented
3 years ago we could install it after updating role and rolebinding but in pod logs, we are getting below
$ kubectl logs -n flink-operator-system -l app=flink-operator --all-containers I0714 15:45:29.023454 1 main.go:209] Generating self signed cert as no cert is provided I0714 15:45:29.592324 1 main.go:242] Listening securely on 0.0.0.0:8443 E0714 15:58:28.598175 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 15:59:19.506093 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 15:59:50.362105 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:00:25.123011 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:01:13.348306 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:02:12.612202 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:03:00.463396 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:03:32.244414 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:04:23.012948 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:05:02.065037 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.3/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope
describe pod shows the flink operator started.
`Events: Type Reason Age From Message
Normal Scheduled
NAME READY STATUS RESTARTS AGE cert-job-ld89n 0/1 Error 0 12m+ kubectl create secret generic webhook-server-cert --from-file=tls.key=/tmp/tmp.aMgt0HWzSq/server-key.pem --from-file=tls.crt=/tmp/tmp.aMgt0HWzSq/server-cert.pem --dry-run -o yaml Error from server (Forbidden): error when retrieving current configuration of: Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret" Name: "webhook-server-cert", Namespace: "flink-operator-system""kind":"Secret" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "creationTimestamp":<nil> "name":"webhook-server-cert" "namespace":"flink-operator-system"]]} from server for: "STDIN": secrets "webhook-server-cert" is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system"please let us know whats need to be done in. order to resolve this issue