[jira] [Created] (FLINK-27975) Remove unnecessary RBAC rules from operator

Jira Thu, 09 Jun 2022 07:17:27 -0700

Márton Balassi created FLINK-27975:
--------------------------------------


             Summary: Remove unnecessary RBAC rules from operator
                 Key: FLINK-27975
                 URL: https://issues.apache.org/jira/browse/FLINK-27975
             Project: Flink
          Issue Type: Improvement
          Components: Kubernetes Operator
            Reporter: Márton Balassi
             Fix For: kubernetes-operator-1.1.0


[~jeesmon] reported the following RBAC rules obsolete:

{code}
 - apiGroups:
      - flink-operator
    resources:
      - "*"
    verbs:
      - "*"
{code}

https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/templates/rbac.yaml#L24-L29

Also * on nodes was flagged in his security review, rightfully. The rule seems 
too permissive in my opinion too. As far as I remember it was needed for our 
services potentially using NodePort (we use ClusterIp by default). This should 
be properly verified and tidied up. 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Created] (FLINK-27975) Remove unnecessary RBAC rules from operator

Reply via email to