You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ouyangwulin (Jira)" <ji...@apache.org> on 2023/03/16 11:50:00 UTC
[jira] [Comment Edited] (FLINK-29705) Document the least access with RBAC setting for native K8s integration
[ https://issues.apache.org/jira/browse/FLINK-29705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17701118#comment-17701118 ]
ouyangwulin edited comment on FLINK-29705 at 3/16/23 11:49 AM:
---------------------------------------------------------------
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
system: taskmanager-serviceaccount
name: taskmanager-serviceaccount
—
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: taskmanager-serviceaccount
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
—
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: taskmanager-serviceaccount
subjects:
- kind: ServiceAccount
name: taskmanager-serviceaccount
roleRef:
kind: Role
name: taskmanager-serviceaccount
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
system: jobmanager-serviceaccount
name: jobmanager-serviceaccount
—
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jobmanager-serviceaccount
rules:
- apiGroups: [""]
resources: ["pods","configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
—
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jobmanager-serviceaccount
subjects:
- kind: ServiceAccount
name: jobmanager-serviceaccount
roleRef:
kind: Role
name: jobmanager-serviceaccount
apiGroup: rbac.authorization.k8s.io
[~Wencong Liu] can you help review this rbac config ?
was (Author: ouyangwuli):
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
system: taskmanager-serviceaccount
name: taskmanager-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: taskmanager-serviceaccount
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: taskmanager-serviceaccount
subjects:
- kind: ServiceAccount
name: taskmanager-serviceaccount
roleRef:
kind: Role
name: taskmanager-serviceaccount
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
system: jobmanager-serviceaccount
name: jobmanager-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jobmanager-serviceaccount
rules:
- apiGroups: [""]
resources: ["pods","configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jobmanager-serviceaccount
subjects:
- kind: ServiceAccount
name: jobmanager-serviceaccount
roleRef:
kind: Role
name: jobmanager-serviceaccount
apiGroup: rbac.authorization.k8s.io
> Document the least access with RBAC setting for native K8s integration
> ----------------------------------------------------------------------
>
> Key: FLINK-29705
> URL: https://issues.apache.org/jira/browse/FLINK-29705
> Project: Flink
> Issue Type: Improvement
> Components: Deployment / Kubernetes, Documentation
> Reporter: Yang Wang
> Assignee: ouyangwulin
> Priority: Major
>
> We should document the least access with RBAC settings[1]. And the operator docs could be taken as a reference[2].
>
> [1]. [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/resource-providers/native_kubernetes/#rbac]
> [2]. [https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/operations/rbac/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)