Role-based Access Control Model

To be able to deploy the operator itself and Flink jobs, we define two separate Kubernetes roles. The former, called flink-operator role is used to manage the flinkdeployments, to create and manage the JobManager deployment for each Flink job and other resources like services. The latter, called the flink role is used by the JobManagers of the jobs to create and manage the TaskManagers and ConfigMaps for the job.

Flink Operator RBAC Model

These service accounts and roles can be created via the operator Helm chart. By default the flink-operator role is cluster scoped (created as a clusterrole) and thus allowing a single operator instance to be responsible for all Flink deployments (jobs) in a Kubernetes cluster regardless of the namespace they are deployed to (with the additional instruction below). Certain environments are more restrictive and only allow namespaced roles, so we also support this option via watchNamespaces.

The flink role is always namespaced, by default it is created in the namespace of the operator. When watchNamespaces is enabled it is created for all watched namespaces individually.

The steps described in the quick-start let users install Flink operator and run Flink jobs in the default namespace. To run Flink jobs in another namespace, users are responsible for creating a flink service account in that namespace. This is when users deploy cluster scoped Flink operator without using the --set watchNamespaces={namespaces} option and wish to create Flink jobs in other namespaces later.

For each additional namespace that runs the Flink jobs, users need to do the following:

  1. Switch to the namespace by running:

    1. kubectl config set-context --current --namespace=CHANGEIT
  2. Create the service account, role, and role binding in the namespace using the commands below:

    1. kubectl apply -f - <<EOF
    2. apiVersion: v1
    3. kind: ServiceAccount
    4. metadata:
    5. labels:
    6. app.kubernetes.io/name: flink-kubernetes-operator
    7. app.kubernetes.io/version: 1.0.1
    8. name: flink
    9. ---
    10. apiVersion: rbac.authorization.k8s.io/v1
    11. kind: Role
    12. metadata:
    13. labels:
    14. app.kubernetes.io/name: flink-kubernetes-operator
    15. app.kubernetes.io/version: 1.0.1
    16. name: flink
    17. rules:
    18. - apiGroups:
    19. - ""
    20. resources:
    21. - pods
    22. - configmaps
    23. verbs:
    24. - '*'
    25. - apiGroups:
    26. - apps
    27. resources:
    28. - deployments
    29. verbs:
    30. - '*'
    31. ---
    32. apiVersion: rbac.authorization.k8s.io/v1
    33. kind: RoleBinding
    34. metadata:
    35. labels:
    36. app.kubernetes.io/name: flink-kubernetes-operator
    37. app.kubernetes.io/version: 1.0.1
    38. name: flink-role-binding
    39. roleRef:
    40. apiGroup: rbac.authorization.k8s.io
    41. kind: Role
    42. name: flink
    43. subjects:
    44. - kind: ServiceAccount
    45. name: flink
    46. EOF
  3. Optionally create an example Flink job in the namespace. Run the command from the root of the cloned flink-kuberntes-operator repo:

    1. kubectl apply -f example/basic.yaml