rmetzger commented on a change in pull request #12558:
URL: https://github.com/apache/flink/pull/12558#discussion_r439391889
##########
File path: docs/ops/deployment/native_kubernetes.md
##########
@@ -116,10 +116,12 @@ $ kubectl port-forward service/<ServiceName> 8081
- `NodePort`: Exposes the service on each Node’s IP at a static port (the
`NodePort`). `<NodeIP>:<NodePort>` could be used to contact the Job Manager
Service. `NodeIP` could be easily replaced with Kubernetes ApiServer address.
You could find it in your kube config file.
-- `LoadBalancer`: Default value, exposes the service externally using a cloud
provider’s load balancer.
+- `LoadBalancer`: exposes the service externally using a cloud provider’s load
balancer.
Since the cloud provider and Kubernetes needs some time to prepare the load
balancer, you may get a `NodePort` JobManager Web Interface in the client log.
You can use `kubectl get services/<ClusterId>` to get EXTERNAL-IP and then
construct the load balancer JobManager Web Interface manually
`http://<EXTERNAL-IP>:8081`.
+ <span class="label label-warning">Warning!</span> Your JobManager (which can
run arbitary jar files) might be exposed to the public internet, without
authentication.
Review comment:
This Flink config is just forwarded to Kubernetes, and the purpose o
this setting is to expose the service publicly via a loadbalancer:
https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
I used the word *might* because I can imagine that in some setups, the LB
only opens the service to a VPN.
But when I experimented with Flink on K8s on Google Cloud, the JobManager
was public to the internet by default.
That's why I added this warning here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
