You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Jeesmon Jacob (Jira)" <ji...@apache.org> on 2022/06/10 12:14:00 UTC

[jira] [Comment Edited] (FLINK-27975) Remove unnecessary RBAC rules from operator

    [ https://issues.apache.org/jira/browse/FLINK-27975?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552724#comment-17552724 ] 

Jeesmon Jacob edited comment on FLINK-27975 at 6/10/22 12:13 PM:
-----------------------------------------------------------------

[~mbalassi] Can you please assign this to me if you haven't started working on it? I will try to work on this next few days. Thanks.


was (Author: JIRAUSER290277):
[~matyas] Can you please assign this to me if you haven't started working on it? I will try to work on this next few days. Thanks.

> Remove unnecessary RBAC rules from operator
> -------------------------------------------
>
>                 Key: FLINK-27975
>                 URL: https://issues.apache.org/jira/browse/FLINK-27975
>             Project: Flink
>          Issue Type: Improvement
>          Components: Kubernetes Operator
>            Reporter: Márton Balassi
>            Priority: Major
>             Fix For: kubernetes-operator-1.1.0
>
>
> [~jeesmon] reported the following RBAC rules obsolete:
> {code}
>  - apiGroups:
>       - flink-operator
>     resources:
>       - "*"
>     verbs:
>       - "*"
> {code}
> https://github.com/apache/flink-kubernetes-operator/blob/main/helm/flink-kubernetes-operator/templates/rbac.yaml#L24-L29
> Also * on nodes was flagged in his security review, rightfully. The rule seems too permissive in my opinion too. As far as I remember it was needed for our services potentially using NodePort (we use ClusterIp by default). This should be properly verified and tidied up. 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)