Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Use Role and RoleBinding for namespace scoped operator failed
See original GitHub issueHi Community,
I want to use a Role and RoleBinding to build a namespace scoped k8s operator. Only control the CR events in one namespace. If I change this to ClusterRole, ClusterRoleBinding. The problem will be gone. I just want to check if it is possible to make it Role and Rolebinding. My CRD is namespaced scoped.
I am getting the error
2022-02-17 00:01:24,203 ERROR org.apache.flink.kubernetes.operator.KubernetesOperatorEntrypoint [] - Exception occurred, but caught
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/apis/flink.operator.io/v1/flinkapplications. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. flinkapplications.flink.operator.io is forbidden: User "system:serviceaccount:default:flink-native-k8s-operator" cannot list resource "flinkapplications" in API group "flink.operator.io" at the cluster scope.
This is my main class. Maybe I misused some APIs? Please suggest. Thanks!!!
public static void main(String[] args) {
try (KubernetesClient k8sClient = new DefaultKubernetesClient()) {
String namespace = k8sClient.getNamespace();
if (namespace == null) {
LOG.info("No namespace found via config, assuming default.");
namespace = "default";
}
LOG.info("Using namespace : " + namespace);
final SharedInformerFactory informerFactory = k8sClient.informers();
SharedIndexInformer<FlinkApplication> flinkAppinformer = informerFactory.sharedIndexInformerFor(FlinkApplication.class, 30 * 1000L);
if (Constants.OPERATOR_WATCH_LEVEL.equalsIgnoreCase("namespace")) {
flinkAppinformer = informerFactory
.sharedIndexInformerFor(FlinkApplication.class, new OperationContext().withNamespace(namespace), 30 * 1000L);
}
LOG.info("Flink operator running in {} mode. In namespace mode, it will only watch {} namespace" +
" (the namespace operator is deployed) for Flink CR change events, " +
"In cluster mode, it will watch all namespaces' Flink CR change events.",
Constants.OPERATOR_WATCH_LEVEL, namespace);
MixedOperation<FlinkApplication, FlinkApplicationList, Resource<FlinkApplication>> flinkAppK8sClient
= k8sClient.customResources(FlinkApplication.class, FlinkApplicationList.class);
FlinkApplicationController flinkApplicationController = new FlinkApplicationController(
k8sClient,
flinkAppK8sClient,
flinkAppinformer,
namespace);
flinkApplicationController.create();
informerFactory.addSharedInformerEventListener(
exception -> LOG.error("Exception occurred, but caught", exception));
final Future<Void> startInformersFuture = informerFactory.startAllRegisteredInformers();
startInformersFuture.get();
flinkApplicationController.run();
} catch (Exception exception) {
LOG.error("Kubernetes Client Exception : ", exception);
}
}
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (1 by maintainers)
Top Results From Across the Web
Limiting operator role/binding permissions #1366 - GitHub
Hi Champak, Kubebuilder doesn't limit its resources to any namespace (wouldn't make any sense) so the RBAC roles/reolebindings are cluster scope ...
Read more >Using RBAC Authorization | Kubernetes
If you want to define a role within a namespace, use a Role; ... A role binding grants the permissions defined in a...
Read more >Migrating a namespace-scoped Operator to a cluster-scoped ...
It watches objects within that namespace and maintains Role and RoleBinding for role-based access control (RBAC) policies for accessing the ...
Read more >Operators Scope
A namespace-scoped operator watches and manages resources in a single Namespace, ... Use RoleBinding s instead of ClusterRoleBinding s.
Read more >Using RBAC to define and apply permissions
Developers can use local roles and bindings to control who has access to ... A Kubernetes namespace provides a mechanism to scope resources...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
You’ll need to specify
inNamepacein SharedInformerFactory in order to have namespaced informer:Or use more flexible DSL inform method:
If everything is namespaced, and your Role and RoleBiding are properly configured, everything should work.
I recall there might be some issues with some older versions of the Client and namespaced usage of SharedInformers (@shawkins)