native kubernetes ClusterRoleBinding 过期问题咨询

hi all

使用的版本是flink 1.10.1 ，kubernetes 版本 1.17

构建了一个session集群，也有正常赋权，可以正常提交作业并运行作业。隔一段时间后，重新提交作业会出现无法创建新的TM的现象。需要重新执行kubectl apply -f rbac.yaml 将账号和角色进行绑定后才可以正常创建TM。

对应的rbac.yaml如下


apiVersion: v1
kind: ServiceAccount
metadata:
 name: flink
 namespace: flink-collect-metric
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: flink-role-binding
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: edit
subjects:
- kind: ServiceAccount
 name: flink
 namespace: flink-collect-metric


报错信息如下:


2020-06-10 14:09:14,664 ERROR org.apache.flink.kubernetes.KubernetesResourceManager         - Could not start TaskManager in pod flink-collect-metric-taskmanager-1-509.
java.util.concurrent.CompletionException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.96.0.1/api/v1/namespaces/flink-collect-metric/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:flink-collect-metric:flink" cannot create resource "pods" in API group "" in the namespace "flink-collect-metric".
     at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
     at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:280)
     at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1643)
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
     at java.lang.Thread.run(Thread.java:748)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.96.0.1/api/v1/namespaces/flink-collect-metric/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:flink-collect-metric:flink" cannot create resource "pods" in API group "" in the namespace "flink-collect-metric".
     at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:510)
     at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:447)
     at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:413)
     at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:372)
     at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:241)
     at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:798)
     at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:328)
     at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:324)
     at org.apache.flink.kubernetes.kubeclient.Fabric8FlinkKubeClient.lambda$createTaskManagerPod$0(Fabric8FlinkKubeClient.java:184)
     at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1640)
     ... 3 more

Looking forward to your reply and help.

Best
| |
a511955993
|
|
邮箱：[hidden email]
|

签名由 网易邮箱大师 定制