You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by gy...@apache.org on 2022/03/22 10:11:17 UTC

[flink-kubernetes-operator] branch main updated: [FLINK-26765] RBAC documentation

This is an automated email from the ASF dual-hosted git repository.

gyfora pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git


The following commit(s) were added to refs/heads/main by this push:
     new c7265c2  [FLINK-26765] RBAC documentation
c7265c2 is described below

commit c7265c2924da4723c1aa58d01e38282b782adc95
Author: Marton Balassi <ma...@apple.com>
AuthorDate: Mon Mar 21 20:52:26 2022 +0100

    [FLINK-26765] RBAC documentation
---
 README.md                                   |  2 +-
 docs/content/_index.md                      |  9 ++++++---
 docs/content/docs/operations/rbac.md        | 21 +++++++++++++++++++++
 docs/static/img/operations/rbac.svg         | 22 ++++++++++++++++++++++
 docs/static/img/{concepts => }/overview.svg |  0
 5 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 1b0fa6a..b50462c 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 A Kubernetes operator for Apache Flink, implemented in Java. It allows users to manage Flink applications and their lifecycle through native k8s tooling like kubectl.
 
-<img alt="Operator Overview" width="100%" src="docs/static/img/concepts/overview.svg">
+<img alt="Operator Overview" width="100%" src="docs/static/img/overview.svg">
 
 ## Documentation & Getting Started
 
diff --git a/docs/content/_index.md b/docs/content/_index.md
index 2448db7..c49e195 100644
--- a/docs/content/_index.md
+++ b/docs/content/_index.md
@@ -25,10 +25,13 @@ under the License.
 # Flink Kubernetes Operator
 
 The Flink Kubernetes Operator extends the [Kubernetes](https://kubernetes.io/) API with the ability to manage and operate 
-Flink Deployments. It features periodic savepoint triggers, stateful Flink job upgrades on configuration change and 
-admission control on job submission amongst others.
+Flink Deployments. The operator features the following amongst others:
+- Deploy and monitor Flink Application and Session deployments
+- Upgrade, suspend and delete deployments
+- Full logging and metrics integration
+- Flexible deployments and native integration with Kubernetes tooling
 
-{{< img src="/img/concepts/overview.svg" alt="Flink Operator Overview" >}}
+{{< img src="/img/overview.svg" alt="Flink Operator Overview" >}}
 
 {{< columns >}}
 ## Try the Flink Kubernetes Operator
diff --git a/docs/content/docs/operations/rbac.md b/docs/content/docs/operations/rbac.md
index 784fad4..e8267d4 100644
--- a/docs/content/docs/operations/rbac.md
+++ b/docs/content/docs/operations/rbac.md
@@ -25,3 +25,24 @@ under the License.
 -->
 
 # Role-based Access Control Model
+
+To be able to deploy the operator itself and Flink jobs, we define two separate Kubernetes 
+[roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole). 
+The former, called `flink-operator` role is used to manage the `flinkdeployments`, to create and manage the 
+[JobManager](https://nightlies.apache.org/flink/flink-docs-stable/docs/concepts/flink-architecture/#jobmanager) deployment
+for each Flink job and other resources like [services](https://kubernetes.io/docs/concepts/services-networking/service/).
+The latter, called the `flink` role is used by the JobManagers of the jobs to create and manage the 
+[TaskManagers](https://nightlies.apache.org/flink/flink-docs-stable/docs/concepts/flink-architecture/#taskmanagers) and
+[ConfigMaps](https://kubernetes.io/docs/concepts/configuration/configmap/) for the job.
+
+{{< img src="/img/operations/rbac.svg" alt="Flink Operator RBAC Model" >}}
+
+These service accounts and roles can be created via the operator Helm [chart]({{< ref "docs/operations/helm" >}}).
+By default the `flink-operator` role is cluster scoped (created as a `clusterrole`) and thus allowing a single operator
+instance to be responsible for all Flink deployments in a Kubernetes cluster regardless of the namespace they are
+deployed to. Certain environments are more restrictive and only allow namespaced roles, so we also support this option
+via [watchNamespaces]({{< ref "docs/operations/helm" >}}#watching-only-specific-namespaces).
+
+The `flink` role is always namespaced, by default it is created in the namespace of the operator. When 
+[watchNamespaces]({{< ref "docs/operations/helm" >}}#watching-only-specific-namespaces) is enabled it is created for all
+watched namespaces individually. 
\ No newline at end of file
diff --git a/docs/static/img/operations/rbac.svg b/docs/static/img/operations/rbac.svg
new file mode 100644
index 0000000..c3a0363
--- /dev/null
+++ b/docs/static/img/operations/rbac.svg
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<!-- Do not edit this file with editors other than diagrams.net -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="711px" height="411px" viewBox="-0.5 -0.5 711 411" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2022-03-21T19:44:45.920Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36&quot; etag=&quot;ASVOU8XudkdSd1dHUmJy&quot; version=&quot;17.1.3&quot; type=&quot;device&quot;&gt;&lt;diagram id= [...]
\ No newline at end of file
diff --git a/docs/static/img/concepts/overview.svg b/docs/static/img/overview.svg
similarity index 100%
rename from docs/static/img/concepts/overview.svg
rename to docs/static/img/overview.svg