[GitHub] [flink-kubernetes-operator] wangyang0918 commented on a change in pull request #42: [FLINK-26308][FLINK-26471] Separate Flink job role from operator role

[GitBox <gi...@apache.org>]

wangyang0918 commented on a change in pull request #42:
URL: https://github.com/apache/flink-kubernetes-operator/pull/42#discussion_r820367642



##########
File path: examples/basic-checkpoint-ha.yaml
##########
@@ -40,7 +40,7 @@ spec:
       cpu: 1
   podTemplate:
     spec:
-      serviceAccount: flink-operator
+      serviceAccount: flink

Review comment:
       We could also update the serviceAccount in `e2e-tests/data/cr.yaml` to `flink`.

##########
File path: helm/flink-operator/templates/rbac.yaml
##########
@@ -132,7 +190,25 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
-    name: {{ template "flink-operator.serviceAccountName" . }}
+    name: {{ include "flink-operator.serviceAccountName" . }}
+    namespace: {{ .Values.operatorNamespace.name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1

Review comment:
       Given that watchNamespaces is not configured, I am thinking whether we really need to create the `ClusterRole` and `ClusterRoleBinding` for flink job. Maybe `Role` and `RoleBinding` is enough. If users want to create a FlinkDeployment in a different namespace with flink-k8s-operator, then they should create the `serviceAccount` `Role` `RoleBinding` manually. 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org