Rasmus Thygesen created FLINK-35338: ---------------------------------------
Summary: Enable FS Plugins as non-root Key: FLINK-35338 URL: https://issues.apache.org/jira/browse/FLINK-35338 Project: Flink Issue Type: New Feature Components: Kubernetes Operator Reporter: Rasmus Thygesen [This pull request|https://github.com/apache/flink-kubernetes-operator/pull/609] was made to allow enabling FS plugins on the Flink Kubernetes Operator which allows reading a jar for a session job on various file systems. It normally works well, but we are running our cluster with ** *[Restricted Pod Security|https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted]* ** which among other things mean the flink operator pod is configured to use *readOnlyRootFilesystem* and *runAsNonRoot* which means we are not allowed to write to our plugins directory. We have tried using *operatorVolumes* and *operatorVolumeMounts* to mount */opt/flink/plugins* which would allow us to write to it, but that overrides all the pre-installed plugins. When all the pre-installed plugins are removed before startup, the operator sees the directory for the plugin we are trying to install, but does not find a jar file inside the directory and therefore complains. We think that when the pre-installed plugins are there, the operator takes a bit longer before it starts reading the new plugin and therefore there is enough time to download the new plugin with curl. We are open to suggestions for how we can solve this issue while keeping *readOnlyRootFilesystem* and {*}runAsNonRoot{*}. We are considering a solution where we mount a volume and download all the pre-installed plugins as well as any extra plugins we need through an init container and we propose a new value to the Flink Operator Helm chart -- This message was sent by Atlassian Jira (v8.20.10#820010)