[jira] [Commented] (FLINK-20990) Service account property ignored for Kubernetes Standalone deployment

Fri, 15 Jan 2021 22:19:10 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-20990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17266513#comment-17266513
 ] 

Yang Wang commented on FLINK-20990:
-----------------------------------

Thanks for sharing the result. I believe it could also help others.

> Service account property ignored for Kubernetes Standalone deployment
> ---------------------------------------------------------------------
>
>                 Key: FLINK-20990
>                 URL: https://issues.apache.org/jira/browse/FLINK-20990
>             Project: Flink
>          Issue Type: Bug
>          Components: Deployment / Kubernetes
>    Affects Versions: 1.12.0
>            Reporter: Damian G
>            Priority: Major
>
> We're using Kubernetes Standalone solution to deploy Flink on Kubernetes 
> cluster. We created helm chart resources with following documentation: 
> [https://ci.apache.org/projects/flink/flink-docs-release-1.12/deployment/resource-providers/standalone/kubernetes.html]
> The problem is that on 'production' environment the default service account 
> is restricted from creating configmaps. I added 
> _kubernetes.jobmanager.service-account_ property to flink-conf.yml to use 
> different service account, but the error still says that the 'default' 
> service account has no permission to create config maps. I'm trying to 
> reproduce this on my local Kubernetes cluster, so:
> I'm creating ClusterRoleBinding for ClusterRole 'view' and assign it to 
> 'flink-sa' service account in order to check if the creation of configmaps is 
> now impossible
> In flink-conf.yaml I'm adding property 
> _kubernetes.jobmanager.service-account: flink-sa_
> The cluster still creates configmaps and works correctly - meaning it doesn't 
> use read-only service account I provided for it.
> Therefore I cannot change service account that Flink is using on 'production' 
> environment - it will always use the default one.
> Shouldn't the option to configure which service account Flink deployment is 
> using work for both Native Kubernetes deployment and Standalone Kubernetes 
> deployment?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to