Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

cert-job POD failing while installing HELM charts #463

Open
mishra157 opened this issue Jul 14, 2021 · 4 comments
Open

cert-job POD failing while installing HELM charts #463

mishra157 opened this issue Jul 14, 2021 · 4 comments

Comments

@mishra157
Copy link

NAME READY STATUS RESTARTS AGE cert-job-ld89n 0/1 Error 0 12m

+ kubectl create secret generic webhook-server-cert --from-file=tls.key=/tmp/tmp.aMgt0HWzSq/server-key.pem --from-file=tls.crt=/tmp/tmp.aMgt0HWzSq/server-cert.pem --dry-run -o yaml Error from server (Forbidden): error when retrieving current configuration of: Resource: "/v1, Resource=secrets", GroupVersionKind: "/v1, Kind=Secret" Name: "webhook-server-cert", Namespace: "flink-operator-system"

"kind":"Secret" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "creationTimestamp":<nil> "name":"webhook-server-cert" "namespace":"flink-operator-system"]]} from server for: "STDIN": secrets "webhook-server-cert" is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system"

please let us know whats need to be done in. order to resolve this issue
@btkinghome
Copy link

system:serviceaccount:flink-operator-system:default" cannot get resource "secrets" in API group "" in the namespace "flink-operator-system

it looks like the “seriveaccount” has not be created correctly.

@mishra157
Copy link
Author

mishra157 commented Jul 14, 2021
edited
Loading

but are using the default service account.
"system:serviceaccount:flink-operator-system:default"

@mishra157
Copy link
Author

$ kubectl get sa default -n flink-operator-system -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2021-07-14T06:37:53Z"
name: default
namespace: flink-operator-system
resourceVersion: "171186948"
selfLink: /api/v1/namespaces/flink-operator-system/serviceaccounts/default
uid: fb6be38f-2a92-4d90-a6bc-587f6230b488
secrets:

  • name: default-token-86l47
    $ kubectl get sa -n sumit-test
    NAME SECRETS AGE
    default 1 320d
    $ kubectl get sa default -n sumit-test -o yaml
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    creationTimestamp: "2020-08-27T11:10:50Z"
    name: default
    namespace: sumit-test
    resourceVersion: "64291029"
    selfLink: /api/v1/namespaces/sumit-test/serviceaccounts/default
    uid: 8ec42750-5e32-40d2-96c2-5e21e13f230d
    secrets:
  • name: default-token-5chxb

we are using the below command to install

helm3 install ddp-faas flink-operator-repo/flink-operator --set operatorImage.name=gcr.io/flink-operator/flink-operator:latest -n sumit-test

@mishra157
Copy link
Author

we could install it after updating role and rolebinding but in pod logs, we are getting below

$ kubectl logs -n flink-operator-system -l app=flink-operator --all-containers I0714 15:45:29.023454 1 main.go:209] Generating self signed cert as no cert is provided I0714 15:45:29.592324 1 main.go:242] Listening securely on 0.0.0.0:8443 E0714 15:58:28.598175 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 15:59:19.506093 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 15:59:50.362105 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:00:25.123011 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:01:13.348306 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:02:12.612202 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:03:00.463396 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:03:32.244414 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:04:23.012948 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope E0714 16:05:02.065037 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:flink-operator-system:default" cannot list resource "statefulsets" in API group "apps" at the cluster scope

describe pod shows the flink operator started.

`Events:
Type Reason Age From Message

Normal Scheduled Successfully assigned flink-operator-system/flink-operator-controller-manager-848b69b444-jhvtz to 10.148.145.111
Normal Pulled 39s kubelet, 10.148.145.111 Container image "gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0" already present on machine
Normal Created 39s kubelet, 10.148.145.111 Created container kube-rbac-proxy
Normal Started 39s kubelet, 10.148.145.111 Started container kube-rbac-proxy
Normal Pulling 39s kubelet, 10.148.145.111 Pulling image "gcr.io/flink-operator/flink-operator:latest"
Normal Pulled 38s kubelet, 10.148.145.111 Successfully pulled image "gcr.io/flink-operator/flink-operator:latest" in 181.697732ms
Normal Created 38s kubelet, 10.148.145.111 Created container flink-operator
Normal Started 38s kubelet, 10.148.145.111 Started container flink-operator`

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@btkinghome @mishra157