Home > Net >  User "system:serviceaccount:default:flink" cannot list resource "nodes" in API g
User "system:serviceaccount:default:flink" cannot list resource "nodes" in API g

Time:10-14

I am trying to call k8s api in one k8s pod. But hit the following permission issue:

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.

In my yaml file, I already have specified the Role & RoleBinding. What do I miss here?

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "deployments", "nodes"]
  verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: flink
roleRef:
  kind: ClusterRole
  name: zeppelin-server-role
  apiGroup: rbac.authorization.k8s.io

CodePudding user response:

You are deploying zeppelin-server on Kubernetes, right? Your yaml file with the service account looks good as I suppose, however to be sure that this works, you should follow the next steps:

  • kubectl get clusterrole

and you should get zeppelin-server-role role.

  • check if your account 'flink' has a binding to clusterrole "zeppelin-server-role"

kubectl get clusterrole clusterrolebinding

if there is no, you can create it by the following command:

kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink

  • finally, check if you really act as this account:

kubectl get deploy flink-deploy -o yaml

if you can't see the settings "serviceAccount" and "serviceAccountName" from the output something like:

...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...

then add this account you want flink to use:

kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

Page link:https//www.codepudding.com/net/151786.html

Prev:Helm looks in a different repository then the one I specify with a --repo flag
Next:Error: have you declared this activity in your AndroidManifest.xml? when trying to intent a class
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding