How to setMasterUrl in Ignite XML config for Kubernetes IPFinder
Using test config with Ignite 2.4 and k8s 1.9:
-
Take a look at this thread: http://apache-ignite-users.70518.x6.nabble.com/Unable-to-connect-ignite-pods-in-Kubernetes-using-Ip-finder-td18009.html
The problem of 403 error can be solved by granting more permissions to the service account.
讨论(0) -
Platform versions
- Kubernetes: v1.8
- Ignite: v2.4
@Anton Kostenko design is mostly right, but here's a refined suggestion that works and grants least access privileges to Ignite.
If you're using a
Deploymentto manage Ignite, then all of your Pods will launch within a single namespace. Therefore, you should really use aRoleand aRoleBindingto grant API access to the service account associated with your deployment.The
TcpDiscoveryKubernetesIpFinderonly needs access to the endpoints for the headless service that selects your Ignite pods. The following 2 manifests will grant that access.apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ignite-endpoint-access namespace: <your-ns> labels: app: ignite rules: - apiGroups: [""] resources: ["endpoints"] resourceNames: ["<your-headless-svc>"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ignite-role-binding labels: app: ignite subjects: - kind: ServiceAccount name: <your-svc-account> roleRef: kind: Role name: ignite-endpoint-access apiGroup: rbac.authorization.k8s.io
讨论(0) -
If you're getting 403 unauthorized then your service account that made your resources may not have good enough permissions. you should update your permissions after you ensure that your namespace and service account and deployments/ replica sets are exactly the way you want it to be.
This link is very helpful to setting permissions for service accounts: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
讨论(0) -
@Denis was right.
Kubernetes using RBAC access controlling system and you need to authorize your pod to access to API.
For that, you need to add a Service Account to your pod.
So, for do that you need:
Create a service account and set role for it:
apiVersion: v1 kind: ServiceAccount metadata: name: ignite namespace: <Your namespace>I am not sure that permissions to access only pods will be enough for Ignite, but if not - you can add as more permissions as you want. Here is example of different kind of roles with large list of permissions. So, now we create Cluster Role for your app:
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: ignite namespace: <Your namespace> rules: - apiGroups: - "" resources: - pods # Here is resources you can access verbs: # That is what you can do with them - get - list - watchCreate binding for that role:
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: ignite roleRef: kind: ClusterRole name: ignite apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: ignite namespace: <Your namespace>Now, you need to associate ServiceAccount to pods with your application:
apiVersion: extensions/v1beta1 kind: DaemonSet metadata: .... spec: template: spec: serviceAccountName: ignite
After that, your application will have an access to K8s API. P.S. Do not forget to change
<Your namespace>to namespace where you running Ignition.讨论(0) -
Tested Version:
Kubernetes: v1.8
Ignite: v2.4
This is going to be little bit more permissive.
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: ignite-rbac subjects: - kind: ServiceAccount name: default namespace: <namespace> roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io讨论(0)
加载中...
- 热议问题