[ https://issues.apache.org/jira/browse/FLINK-35338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rasmus Thygesen updated FLINK-35338: ------------------------------------ Affects Version/s: 1.8.0 > Enable FS Plugins as non-root > ----------------------------- > > Key: FLINK-35338 > URL: https://issues.apache.org/jira/browse/FLINK-35338 > Project: Flink > Issue Type: New Feature > Components: Kubernetes Operator > Affects Versions: 1.8.0 > Reporter: Rasmus Thygesen > Priority: Not a Priority > > [This pull > request|https://github.com/apache/flink-kubernetes-operator/pull/609] was > made to allow enabling FS plugins on the Flink Kubernetes Operator which > allows reading a jar for a session job on various file systems. It normally > works well, but we are running our cluster with ** *[Restricted Pod > Security|https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted]* > ** which among other things mean the flink operator pod is configured to use > *readOnlyRootFilesystem* and *runAsNonRoot* which means we are not allowed to > write to our plugins directory. > > We have tried using *operatorVolumes* and *operatorVolumeMounts* to mount > */opt/flink/plugins* which would allow us to write to it, but that overrides > all the pre-installed plugins. When all the pre-installed plugins are removed > before startup, the operator sees the directory for the plugin we are trying > to install, but does not find a jar file inside the directory and therefore > complains. We think that when the pre-installed plugins are there, the > operator takes a bit longer before it starts reading the new plugin and > therefore there is enough time to download the new plugin with curl. > > We are open to suggestions for how we can solve this issue while keeping > *readOnlyRootFilesystem* and {*}runAsNonRoot{*}. We are considering a > solution where we mount a volume and download all the pre-installed plugins > as well as any extra plugins we need through an init container and we propose > a new value to the Flink Operator Helm chart -- This message was sent by Atlassian Jira (v8.20.10#820010)