Role-based Access Control Model #
To be able to deploy the operator itself and Flink jobs, we define two separate Kubernetes
The former, called
flink-operator role is used to manage the
flinkdeployments, to create and manage the
for each Flink job and other resources like services.
The latter, called the
flink role is used by the JobManagers of the jobs to create and manage the
ConfigMaps for the job.
These service accounts and roles can be created via the operator Helm chart.
By default the
flink-operator role is cluster scoped (created as a
clusterrole) and thus allowing a single operator
instance to be responsible for all Flink deployments in a Kubernetes cluster regardless of the namespace they are
deployed to. Certain environments are more restrictive and only allow namespaced roles, so we also support this option
flink role is always namespaced, by default it is created in the namespace of the operator. When
watchNamespaces is enabled it is created for all
watched namespaces individually.