[
https://issues.apache.org/jira/browse/FLINK-29131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17609248#comment-17609248
]
Dylan Meissner commented on FLINK-29131:
----------------------------------------
The Helm chart changes dramatically to do this work. I'm not even clear if it
could cleanly upgrade. Testing may upgrade scenarios is intimidating.
When I first brought up this idea in Slack we agreed
_if you have time opening a JIRA ticket and a minimal PR to address it, we
would be happy to review and merge this_
Do we still envision a small change?
> Kubernetes operator webhook can use hostPort
> --------------------------------------------
>
> Key: FLINK-29131
> URL: https://issues.apache.org/jira/browse/FLINK-29131
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: Dylan Meissner
> Assignee: Dylan Meissner
> Priority: Minor
>
> When running Flink operator on EKS cluster with Calico networking the
> control-plane (managed by AWS) cannot reach the webhook. Requests to create
> Flink resources fail with {_}Address is not allowed{_}.
> When the webhook listens on hostPort the requests to create Flink resources
> are successful. However, a pod security policy is generally required to allow
> webhook to listen on such ports.
> To support this scenario with the Helm chart make changes so that we can
> * Specify a hostPort value for the webhook
> * Name the port that the webhook listens on
> * Use the named port in the webhook service
> * Add a "use" pod security policy verb to cluster role
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
