[
https://issues.apache.org/jira/browse/FLINK-20990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17265898#comment-17265898
]
Yang Wang commented on FLINK-20990:
-----------------------------------
Hmm. I think I get your point. The Flink config options(aka
{{kubernetes.service-account}}) to set service account for
JobManager/TaskManager only work for native K8s integration. Because in native
K8s mode, JobManager deployment is created by Flink client and we could set the
service account accordingly. As we as TaskManager pod, which is created by
Flink ResourceManager.
For standalone deployment, you need to set the serviceaccount in the JobManager
and TaskManager yaml files.
{code:java}
// code placeholder
apiVersion: apps/v1
kind: Deployment
metadata:
name: flink-jobmanager
spec:
replicas: 1
selector:
matchLabels:
app: flink
component: jobmanager
template:
metadata:
labels:
app: flink
component: jobmanager
spec:
serviceAccount: your-service-account
containers:
- name: jobmanager
...
{code}
> Service account property ignored for Kubernetes Standalone deployment
> ---------------------------------------------------------------------
>
> Key: FLINK-20990
> URL: https://issues.apache.org/jira/browse/FLINK-20990
> Project: Flink
> Issue Type: Bug
> Components: Deployment / Kubernetes
> Affects Versions: 1.12.0
> Reporter: Damian G
> Priority: Major
>
> We're using Kubernetes Standalone solution to deploy Flink on Kubernetes
> cluster. We created helm chart resources with following documentation:
> [https://ci.apache.org/projects/flink/flink-docs-release-1.12/deployment/resource-providers/standalone/kubernetes.html]
> The problem is that on 'production' environment the default service account
> is restricted from creating configmaps. I added
> _kubernetes.jobmanager.service-account_ property to flink-conf.yml to use
> different service account, but the error still says that the 'default'
> service account has no permission to create config maps. I'm trying to
> reproduce this on my local Kubernetes cluster, so:
> I'm creating ClusterRoleBinding for ClusterRole 'view' and assign it to
> 'flink-sa' service account in order to check if the creation of configmaps is
> now impossible
> In flink-conf.yaml I'm adding property
> _kubernetes.jobmanager.service-account: flink-sa_
> The cluster still creates configmaps and works correctly - meaning it doesn't
> use read-only service account I provided for it.
> Therefore I cannot change service account that Flink is using on 'production'
> environment - it will always use the default one.
> Shouldn't the option to configure which service account Flink deployment is
> using work for both Native Kubernetes deployment and Standalone Kubernetes
> deployment?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
