3

I have been trying to setup Spring Cloud Dataflow Server for Kubernetes locally using minikube. Have followed the installation instructions in the the link here : SCDF Installation Reference

I've been getting the below error for the SCDF server:


11:32:52.095 [main] DEBUG io.fabric8.kubernetes.client.Config - Trying to configure client namespace from Kubernetes service account namespace path...
11:32:52.096 [main] DEBUG io.fabric8.kubernetes.client.Config - Found service account namespace at: [/var/run/secrets/kubernetes.io/serviceaccount/namespace].
2018-04-24 11:33:14.348  WARN 1 --- [           main] o.s.cloud.kubernetes.StandardPodUtils    : Failed to get pod with name:[scdf-server-869d56967c-97lsd]. You should look into this if things aren't working as you expect. Are you missing serviceaccount permissions?

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/api/v1/namespaces/default/pods/scdf-server-869d56967c-97lsd. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "scdf-server-869d56967c-97lsd" is forbidden: User "system:serviceaccount:default:default" cannot get pods in the namespace "default".

Below are the version details:

  • Spring Cloud Data Flow Server : 1.4.0.RELEASE
  • Kubernetes Local Deployment using minikube
  • Kubernetes Version : 1.10
mukulSharma
  • 113
  • 2
  • 6

2 Answers2

4

The latest release of minikube enabled RBAC by default.

For RBAC enabled clusters, we have added a note in the installation section on this matter.

"The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with."

For minikube, however, you can run the following command and retry installaing.

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

Alternatively, if you're using the helm-chart, you can disable RBAC and install the chart with the following on minikube.

helm init

helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com

helm repo update

helm install --name my-release --set server.service.type=NodePort --set rbac.create=false incubator/spring-cloud-data-flow

Community
  • 1
  • 1
Sabby Anandan
  • 5,636
  • 2
  • 12
  • 21
  • Have tried this approach too, exactly the same error as shared earlier. – mukulSharma Apr 24 '18 at 14:33
  • 1
    I just tried the RBAC provisioning experience on minikube `v0.26.1`. I created the `cluster-admin` role and I used the helm chat (via: `helm install --name my-release --set server.service.type=NodePort incubator/spring-cloud-data-flow`). Everything came up as expected. – Sabby Anandan Apr 24 '18 at 16:27
  • I tried the helm way of installation earlier, but without the cluster-admin role. Just tried these together as you've mentioned above, and it worked both locally and on Google Kubernetes engine. Thank you so much. Also, wondering if this should be part of the SCDF reference docs. Kindly suggest. – mukulSharma Apr 25 '18 at 13:08
  • Yes, that'd be good to have it in the docs. I added [spring-cloud/spring-cloud-dataflow-server-kubernetes#282](https://github.com/spring-cloud/spring-cloud-dataflow-server-kubernetes/issues/282). – Sabby Anandan Apr 25 '18 at 13:29
0

From the installation guide, step 7: https://docs.spring.io/spring-cloud-dataflow-server-kubernetes/docs/1.4.0.RELEASE/reference/htmlsingle/#_deploying_using_kubectl

The latest releases of kubernetes have enabled RBAC on the api-server. If your target platform has RBAC enabled you must ask a cluster-admin to create the roles and role-bindings for you before deploying the dataflow server. They associate the dataflow service account with the roles it needs to be run with.

$ kubectl create -f src/kubernetes/server/server-roles.yaml
$ kubectl create -f src/kubernetes/server/server-rolebinding.yaml

Did you perform those steps?

Jordan Liggitt
  • 16,933
  • 2
  • 56
  • 44
  • Yes, I had applied these too. – mukulSharma Apr 24 '18 at 14:33
  • It looks like https://github.com/spring-cloud/spring-cloud-dataflow-server-kubernetes/blob/master/src/kubernetes/server/server-rolebinding.yaml grants permissions to the `scdf-sa` service account, not the `default` service account. Did you create the deployment from https://github.com/spring-cloud/spring-cloud-dataflow-server-kubernetes/blob/master/src/kubernetes/server/server-deployment.yaml (which includes `serviceAccountName: scdf-sa`) – Jordan Liggitt Apr 24 '18 at 17:53
  • I got this resolved following Sabby Anandans answer. Thanks for the help. – mukulSharma Apr 25 '18 at 13:13