How to resolve the 403 issue when accessing dispatcher in K8s.

[karlwang1983]

I config the dispatcher as below in a deployment.yaml, but it causes time-out issue when I check permission. I saw the logs in spicedb pod "invalid response code 403 for service spicedb-permission-service in namespace". Is there any configurations should I do in k8s?

 - name: SPICEDB_DISPATCH_CLUSTER_ENABLED
   value: "true"
 - name: SPICEDB_DISPATCH_UPSTREAM_ADDR
   value: "kubernetes:///spicedb-permission-service:50053"

[vroldanbet]

@karlwang1983 I think that mostly looks fine, I'd probably put the .<your_namespace> suffix just in case, and we usually do :dispatch which is the name of the dispatch port defined. Are you setting RBAC properly? you need to create a ServiceAccount with permission to read endpoints:

  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ""
    resources:
      - endpoints

[karlwang1983]

Thanks @vroldanbet . I noticed I lost set service account in spicedb pod. Now it works.