[GitHub] [flink] xintongsong commented on a change in pull request #14241: [FLINK-20073][doc] Add native k8s integration to kerberos setup documentation

[GitBox <gi...@apache.org>]

xintongsong commented on a change in pull request #14241:
URL: https://github.com/apache/flink/pull/14241#discussion_r533036250



##########
File path: docs/deployment/security/security-kerberos.md
##########
@@ -87,16 +87,20 @@ Steps to run a secure Flink cluster in standalone/cluster mode:
 2. Ensure that the keytab file exists at the path indicated by `security.kerberos.login.keytab` on all cluster nodes.
 3. Deploy Flink cluster as normal.
 
-### YARN/Mesos Mode
+### YARN, Mesos and native Kubernetes Mode
 
-Steps to run a secure Flink cluster in YARN/Mesos mode:
+Steps to run a secure Flink cluster in YARN, Mesos and native Kubernetes mode:
 
 1. Add security-related configuration options to the Flink configuration file on the client (see [here]({% link deployment/config.md %}#auth-with-external-systems)).
 2. Ensure that the keytab file exists at the path as indicated by `security.kerberos.login.keytab` on the client node.
 3. Deploy Flink cluster as normal.
 
 In YARN/Mesos mode, the keytab is automatically copied from the client to the Flink containers.
 
+In native Kubernetes mode, a Secret is automatically created with the given keytab and mounted on all Flink pods.
+
+You can configure the `security.kerberos.krb5-conf.path` to indicate the path of the Kerberos configuration file. In native Kubernetes mode, this config is required and a ConfigMap will be created with that file and mounted on the `/etc/krb5.conf` of all Flink pods.

Review comment:
       It's a bit unclear to me why the configuration option is required for K8s but not for Yarn/Mesos. If this option is not configured for Yarn/Mesos, which krb5-conf would be used? Any alternative steps should be take?

##########
File path: docs/deployment/security/security-kerberos.md
##########
@@ -87,16 +87,20 @@ Steps to run a secure Flink cluster in standalone/cluster mode:
 2. Ensure that the keytab file exists at the path indicated by `security.kerberos.login.keytab` on all cluster nodes.
 3. Deploy Flink cluster as normal.
 
-### YARN/Mesos Mode
+### YARN, Mesos and native Kubernetes Mode
 
-Steps to run a secure Flink cluster in YARN/Mesos mode:
+Steps to run a secure Flink cluster in YARN, Mesos and native Kubernetes mode:
 
 1. Add security-related configuration options to the Flink configuration file on the client (see [here]({% link deployment/config.md %}#auth-with-external-systems)).
 2. Ensure that the keytab file exists at the path as indicated by `security.kerberos.login.keytab` on the client node.
 3. Deploy Flink cluster as normal.
 
 In YARN/Mesos mode, the keytab is automatically copied from the client to the Flink containers.
 
+In native Kubernetes mode, a Secret is automatically created with the given keytab and mounted on all Flink pods.

Review comment:
       Any extra steps the user needs to take about the `Secret`? If not, I would suggest not to expose the internal details in this doc.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org