[jira] [Closed] (FLINK-38552) FlinkStateSnapshot does not work if operator's namespace not in watchNamespaces

Tue, 04 Nov 2025 00:42:06 -0800 


     [ 
https://issues.apache.org/jira/browse/FLINK-38552?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gyula Fora closed FLINK-38552.
------------------------------
    Fix Version/s: kubernetes-operator-1.14.0
       Resolution: Fixed

merged to main a2bbbb4be1db5fd3704b8d62d166e54a993ad769

>  FlinkStateSnapshot does not work if operator's namespace not in 
> watchNamespaces
> --------------------------------------------------------------------------------
>
>                 Key: FLINK-38552
>                 URL: https://issues.apache.org/jira/browse/FLINK-38552
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>            Reporter: Maksim Aniskov
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: kubernetes-operator-1.14.0
>
>
> If Flink Kubernetes Operator deployed using [the Helm 
> chart|https://github.com/apache/flink-kubernetes-operator/tree/main/helm/flink-kubernetes-operator]
>  and the operator's namespace not listed in [_watchNamespaces_ 
> value|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/values.yaml#L23],
>  support for _FlinkStateSnapshot_ CRDs gets disabled.
> The operator's 
> [isCrdInstalled|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/utils/KubernetesClientUtils.java#L73]
>  check requires _list_ permission for _flinkstatesnaphots_ verb in the 
> operator's namespace.
> When the namespace listed in {_}watchNamespaces{_}, [this 
> template|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/role.yaml#L24-L32]
>  creates the Kubernetes role with necessary permission defined in 
> [helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl#L135]
> When the operator's namespace isn't in {_}watchNamespaces{_}, this part of 
> the template defines the role: 
> [helm/flink-kubernetes-operator/templates/rbac/role.yaml#L33-L56|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/role.yaml#L33-L56]
> This part should also define the permission. Like the following.
> {code:java}
> - apiGroups:
>   - flink.apache.org
>   resources:
>   - flinkstatesnapshots
>   verbs:
>   - list
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to