This message was deleted Apache Druid #general

Join Slack

This message was deleted.

# general

Slackbot

05/31/2023, 7:51 AM

This message was deleted.

David McHealy

05/31/2023, 1:54 PM

I don't think either implementation cares, it is all down to your configuration.

Prabir Choudhury

05/31/2023, 6:08 PM

Hi David, I have installed druid operator and did the required configuration based on https://druid.apache.org/docs/latest/development/extensions-contrib/k8s-jobs.html

Copy code

# within common runtime properties
druid.indexer.runner.namespace=druid-operator
druid.indexer.queue.maxSize=10
druid.processing.intermediaryData.storage.type=deepstore 
## within the overlord config
druid.indexer.runner.type=k8s
druid.indexer.task.encapsulatedTask=true

However, I always see the error

Prabir Choudhury

05/31/2023, 6:13 PM

When I see the overlord log, it says

Copy code

at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: <https://10.255.0.1:443/apis/batch/v1/namespaces/druid-operator/jobs?labelSelector=druid.k8s.peons>. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. jobs.batch is forbidden: User "system:serviceaccount:druid-operator:default" cannot list resource "jobs" in API group "batch" in the namespace "druid-operator".
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:728) ~[?:?]
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:708) ~[?:?]
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:657) ~[?:?]
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:587) ~[?:?]
        at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642) ~[?:?]
        at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506) ~[?:?]
        at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073) ~[?:?]
        at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$retryWithExponentialBackoff$2(OperationSupport.java:629) ~[?:?]

It seems the service account doesn't have privilege. I have created the role and rolebinding as below

Copy code

apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: Role
metadata:
  name: druid-cluster
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - configmaps
  - jobs
  verbs:
  - '*'
---
kind: RoleBinding
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
metadata:
  name: druid-cluster
subjects:
- kind: ServiceAccount
  name: default
  namespace: druid-operator
roleRef:
  kind: Role
  name: druid-cluster
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>

Also if I test the permission, it shows that I have the privilege

Copy code

root@bh-gsn-57-xtz-dev-01:~/druid-op/druid-cluster# kubectl auth can-i create jobs --as=system:serviceaccount:druid-operator:default -n druid-operator
yes

Not sure what I am doing wrong!

Sergio Ferragut

06/01/2023, 1:48 AM

link to same thread with response: https://apachedruidworkspace.slack.com/archives/C030K0Z7S1Z/p1685557121420909

Open in Slack

Previous Next