[
https://issues.apache.org/jira/browse/FLINK-33633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17789380#comment-17789380
]
Gyula Fora commented on FLINK-33633:
------------------------------------
The problem is that this adds extra code logic to both the operator and the
helm chart. And it brings basically 0 production value and encourages a
privilege creep that poses a potential security risk.
When admins add a new namespace to the watched namespaces they need to add the
add the necessary rbac. If they miss it, the operator will send error logs but
won't fail so they can correct it.
> Automatic creation of RBAC for instances of Flink Deployments
> -------------------------------------------------------------
>
> Key: FLINK-33633
> URL: https://issues.apache.org/jira/browse/FLINK-33633
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.7.0
> Reporter: Tony Garrard
> Priority: Not a Priority
>
> Currently users have to manually create RBAC e.g. the flink service account.
> When operator is watching all namespaces; creation of a FlinkDeployment in a
> specific namespace may fail if the kube admin has failed to create the
> required RBAC. To improve usability the operator could be coded to
> automatically create these rbac resources in the instance namespace if not
> present
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
