Role-based Access Control Model #

To be able to deploy the operator itself and Flink jobs, we define two separate Kubernetes roles. The former, called flink-operator role is used to manage the flinkdeployments, to create and manage the JobManager deployment for each Flink job and other resources like services. The latter, called the flink role is used by the JobManagers of the jobs to create and manage the TaskManagers and ConfigMaps for the job.

These service accounts and roles can be created via the operator Helm chart. By default the flink-operator role is cluster scoped (created as a clusterrole) and thus allowing a single operator instance to be responsible for all Flink deployments in a Kubernetes cluster regardless of the namespace they are deployed to. Certain environments are more restrictive and only allow namespaced roles, so we also support this option via watchNamespaces.

The flink role is always namespaced, by default it is created in the namespace of the operator. When watchNamespaces is enabled it is created for all watched namespaces individually.