Maksim Aniskov created FLINK-38552:
--------------------------------------
Summary: FlinkStateSnapshot does not work if operator's namespace
not in watchNamespaces
Key: FLINK-38552
URL: https://issues.apache.org/jira/browse/FLINK-38552
Project: Flink
Issue Type: Bug
Components: Kubernetes Operator
Reporter: Maksim Aniskov
If Flink Kubernetes Operator deployed using [the Helm
chart|https://github.com/apache/flink-kubernetes-operator/tree/main/helm/flink-kubernetes-operator]
and the operator's namespace not listed in [_watchNamespaces_
value|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/values.yaml#L23],
support for _FlinkStateSnapshot_ CRDs gets disabled.
The operator's
[isCrdInstalled|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/flink-kubernetes-operator/src/main/java/org/apache/flink/kubernetes/operator/utils/KubernetesClientUtils.java#L73]
check requires _list_ permission for _flinkstatesnaphots_ verb in the
operator's namespace.
When the namespace listed in {_}watchNamespaces{_}, [this
template|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/role.yaml#L24-L32]
creates the Kubernetes role with necessary permission defined in
[helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/_helpers.tpl#L135]
When the operator's namespace isn't in {_}watchNamespaces{_}, this part of the
template defines the role:
[helm/flink-kubernetes-operator/templates/rbac/role.yaml#L33-L56|https://github.com/apache/flink-kubernetes-operator/blob/release-1.13/helm/flink-kubernetes-operator/templates/rbac/role.yaml#L33-L56]
This part should also define the permission. Like the following.
{code:java}
- apiGroups:
- flink.apache.org
resources:
- flinkstatesnapshots
verbs:
- list
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
