[FLINK-32041] flink-kubernetes-operator RoleBinding for Leases not created in correct namespace when using watchNamespaces - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: kubernetes-operator-1.4.0
Fix Version/s: kubernetes-operator-1.6.0
Component/s: Kubernetes Operator
Labels:
- pull-request-available

Description

When enabling HA for flink-kubernetes-operator RBAC rules must be created to allow the flink-operator to manage k8s Lease resources. When not using watchNamespaces, the RBAC rules are created at the k8s cluster level scope, giving the flink-operator ServiceAccount the ability to manage all needed k8s resources for all namespaces.

However, when using watchNamespaces, RBAC rules are only created in the watchNamepaces. For most rules, this is correct, as the operator needs to manage resources like Flink pods and deployments in the watchNamespaces.

However, For flink-kubernetes-operator HA, the Lease resource is managed in the same namespace in which the operator is deployed.

The Helm chart should be fixed so that the proper RBAC rules for Leases are created to allow the operator's ServiceAccount in the operator's namespace.

Mailing list discussion here.

Attachments

Issue Links

links to

GitHub Pull Request #604

Activity

People

Assignee:: Thomas Chin

Reporter:: Andrew Otto

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 09/May/23 14:27

Updated:: 02/Jun/23 12:16

Resolved:: 01/Jun/23 11:14