[
https://issues.apache.org/jira/browse/FLINK-20990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17265885#comment-17265885
]
Damian G commented on FLINK-20990:
----------------------------------
I've seen the issue you mentioned before and I'm not sure if it resolves what I
described.
https://issues.apache.org/jira/browse/FLINK-20664 mentiones that there was
possibility to set service account only for job manager and introduces a way to
set service account for task manager as well.
I'm trying to use _kubernetes.jobmanager.service-account_ property just to
check job manager (there is a possibility I'd need to do this on task manager
as well, but it's an issue that might occur one step later), but it seems to be
ignored.
Just to make sure task manager isn't responsible for creating configmaps I
deployed a cluster with 1 job manager and 0 task managers and used
_kubernetes.jobmanager.service-account_ to point to service account which has
no permission to create configmaps and configmaps were still created.
> Service account property ignored for Kubernetes Standalone deployment
> ---------------------------------------------------------------------
>
> Key: FLINK-20990
> URL: https://issues.apache.org/jira/browse/FLINK-20990
> Project: Flink
> Issue Type: Bug
> Components: Deployment / Kubernetes
> Affects Versions: 1.12.0
> Reporter: Damian G
> Priority: Major
>
> We're using Kubernetes Standalone solution to deploy Flink on Kubernetes
> cluster. We created helm chart resources with following documentation:
> [https://ci.apache.org/projects/flink/flink-docs-release-1.12/deployment/resource-providers/standalone/kubernetes.html]
> The problem is that on 'production' environment the default service account
> is restricted from creating configmaps. I added
> _kubernetes.jobmanager.service-account_ property to flink-conf.yml to use
> different service account, but the error still says that the 'default'
> service account has no permission to create config maps. I'm trying to
> reproduce this on my local Kubernetes cluster, so:
> I'm creating ClusterRoleBinding for ClusterRole 'view' and assign it to
> 'flink-sa' service account in order to check if the creation of configmaps is
> now impossible
> In flink-conf.yaml I'm adding property
> _kubernetes.jobmanager.service-account: flink-sa_
> The cluster still creates configmaps and works correctly - meaning it doesn't
> use read-only service account I provided for it.
> Therefore I cannot change service account that Flink is using on 'production'
> environment - it will always use the default one.
> Shouldn't the option to configure which service account Flink deployment is
> using work for both Native Kubernetes deployment and Standalone Kubernetes
> deployment?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
