You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by mb...@apache.org on 2022/07/02 08:13:29 UTC
[flink-kubernetes-operator] branch main updated: [FLINK-27975] Remove unnecessary RBAC rules from operator
This is an automated email from the ASF dual-hosted git repository.
mbalassi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 0997fe4 [FLINK-27975] Remove unnecessary RBAC rules from operator
0997fe4 is described below
commit 0997fe49657a435db1d323f0f5a49d556dd8c621
Author: Jeesmon Jacob <je...@gmail.com>
AuthorDate: Sat Jul 2 04:13:24 2022 -0400
[FLINK-27975] Remove unnecessary RBAC rules from operator
Removed un-used apiGroup and resources from required RBAC
Signed-off-by: Jeesmon Jacob <jj...@vmware.com>
---
docs/content/docs/operations/helm.md | 1 +
helm/flink-kubernetes-operator/templates/rbac.yaml | 17 ++++++++---------
helm/flink-kubernetes-operator/values.yaml | 5 +++++
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/docs/content/docs/operations/helm.md b/docs/content/docs/operations/helm.md
index 48c5a91..036d54f 100644
--- a/docs/content/docs/operations/helm.md
+++ b/docs/content/docs/operations/helm.md
@@ -64,6 +64,7 @@ The configurable parameters of the Helm chart and which default values as detail
| image.pullPolicy | The image pull policy of flink-kubernetes-operator. | IfNotPresent |
| image.tag | The image tag of flink-kubernetes-operator. | latest |
| rbac.create | Whether to enable RBAC to create for said namespaces. | true |
+| rbac.nodesRule.create | Whether to add RBAC rule to list nodes which is needed for rest-service exposed as NodePort type. | false |
| operatorPod.annotations | Custom annotations to be added to the operator pod (but not the deployment). | |
| operatorPod.labels | Custom labels to be added to the operator pod (but not the deployment). | |
| operatorServiceAccount.create | Whether to enable operator service account to create for flink-kubernetes-operator. | true |
diff --git a/helm/flink-kubernetes-operator/templates/rbac.yaml b/helm/flink-kubernetes-operator/templates/rbac.yaml
index f68d0ca..d65c3b6 100644
--- a/helm/flink-kubernetes-operator/templates/rbac.yaml
+++ b/helm/flink-kubernetes-operator/templates/rbac.yaml
@@ -21,25 +21,24 @@ RBAC rules used to create the operator (cluster)role based on the scope
*/}}
{{- define "flink-operator.rbacRules" }}
rules:
- - apiGroups:
- - flink-operator
- resources:
- - "*"
- verbs:
- - "*"
- apiGroups:
- ""
resources:
- pods
- services
- - endpoints
- - persistentvolumeclaims
- events
- configmaps
- secrets
- - nodes
verbs:
- "*"
+{{- if .Values.rbac.nodesRule.create }}
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+{{- end }}
- apiGroups:
- apps
resources:
diff --git a/helm/flink-kubernetes-operator/values.yaml b/helm/flink-kubernetes-operator/values.yaml
index f980a3d..32ace20 100644
--- a/helm/flink-kubernetes-operator/values.yaml
+++ b/helm/flink-kubernetes-operator/values.yaml
@@ -31,6 +31,11 @@ imagePullSecrets: []
rbac:
create: true
+ # kubernetes.rest-service.exposed.type: NodePort requires
+ # list permission for nodes at the cluster scope.
+ # Set create to true if you are using NodePort type.
+ nodesRule:
+ create: false
operatorPod:
annotations: {}