K
Q

Kubernetes : Service Accounts Permissions issue with Spring Cloud Data Flow Server

4/24/2018

I have been trying to setup Spring Cloud Dataflow Server for Kubernetes locally using minikube. Have followed the installation instructions in the the link here : SCDF Installation Reference

I've been getting the below error for the SCDF server:

11:32:52.095 [main] DEBUG io.fabric8.kubernetes.client.Config - Trying to configure client namespace from Kubernetes service account namespace path...
11:32:52.096 [main] DEBUG io.fabric8.kubernetes.client.Config - Found service account namespace at: [/var/run/secrets/kubernetes.io/serviceaccount/namespace].
2018-04-24 11:33:14.348  WARN 1 --- [           main] o.s.cloud.kubernetes.StandardPodUtils    : Failed to get pod with name:[scdf-server-869d56967c-97lsd]. You should look into this if things aren't working as you expect. Are you missing serviceaccount permissions?

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/pods/scdf-server-869d56967c-97lsd. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "scdf-server-869d56967c-97lsd" is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default".

Below are the version details:

  • Spring Cloud Data Flow Server : 1.4.0.RELEASE
  • Kubernetes Local Deployment using minikube
  • Kubernetes Version : 1.10
-- mukulSharma
kubernetes
spring
spring-cloud-dataflow

Similar Questions

Why can envoy sidecar control my traffic?
hostPath as volume in kubernetes
kubernetes create a service with domain at the end
Istio bookinfo makes minikube to time out any request

2 Answers

4/24/2018

From the installation guide, step 7: https://docs.spring.io/spring-cloud-dataflow-server-kubernetes/docs/1.4.0.RELEASE/reference/htmlsingle/#_deploying_using_kubectl

The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with.

$ kubectl create -f src/kubernetes/server/server-roles.yaml
$ kubectl create -f src/kubernetes/server/server-rolebinding.yaml

Did you perform those steps?

-- Jordan Liggitt
Source: StackOverflow
4/24/2018

The latest release of minikube enabled RBAC by default.

For RBAC enabled clusters, we have added a note in the installation section on this matter.

"The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with."

For minikube, however, you can run the following command and retry installaing.

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

Alternatively, if you're using the helm-chart, you can disable RBAC and install the chart with the following on minikube.

helm init

helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com

helm repo update

helm install --name my-release --set server.service.type=NodePort --set rbac.create=false incubator/spring-cloud-data-flow

-- Sabby Anandan
Source: StackOverflow