[ https://issues.apache.org/jira/browse/FLINK-27109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518673#comment-17518673 ]
Biao Geng commented on FLINK-27109: ----------------------------------- cc [~morhidi] [~mbalassi] Do you have any suggestion? > Improve the creation of ClusterRole in Flink K8s operator > --------------------------------------------------------- > > Key: FLINK-27109 > URL: https://issues.apache.org/jira/browse/FLINK-27109 > Project: Flink > Issue Type: Improvement > Components: Kubernetes Operator > Reporter: Biao Geng > Priority: Major > > As the > [doc|https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrole-example] > of k8s said, ClusterRole is one kind of non-namespaced resource. > In our helm chart, we now define the ClusterRole with name 'flink-operator' > and the namespace field in metadata will be omitted. As a result, if a user > wants to install multiple flink-kubernetes-operator in different namespace, > the ClusterRole 'flink-operator' will be created multiple times. > Errors like > {quote}Error: INSTALLATION FAILED: rendered manifests contain a resource that > already exists. Unable to continue with install: ClusterRole "flink-operator" > in namespace "" exists and cannot be imported into the current release: > invalid ownership metadata; annotation validation error: key > "meta.helm.sh/release-namespace" must equal "c-8725bcef1dc84d6f": current > value is "default" > {quote} > will be thrown. > Solution 1 could be adding the namespace as a postfix in the name of > ClusterRole. > Solution 2 is to add if else check like > [this|https://stackoverflow.com/questions/65110332/clusterrole-exists-and-cannot-be-imported-into-the-current-release] > to avoid creating existed resource. One important drawback of solution 2 is > that when uninstalling one helm release, the created ClusterRole will be > removed as well. -- This message was sent by Atlassian Jira (v8.20.1#820001)