[
https://issues.apache.org/jira/browse/FLINK-28554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571885#comment-17571885
]
Tim commented on FLINK-28554:
-----------------------------
Hi [~wangyang0918], it's not about changing the configuration it's more about
making it possible to set
{code:java}
readOnlyRootFilesystem: true{code}
for the operator to comply for security checks in our environment. And without
the change to the template (see:
[https://github.com/apache/flink-kubernetes-operator/compare/main...timsn:flink-kubernetes-operator:mount-single-flink-conf-files])
and in combination with the mentioned emptyDir volumes in the values.yaml (see
in the description) it's not possible to run the operator because it simply
crashes / refuses to start. You can try that yourself by adding:
{code:java}
operatorSecurityContext:
readOnlyRootFilesystem: true
{code}
to your values.yaml. The operator won't be able to start.
> Kubernetes-Operator allow readOnlyRootFilesystem via operatorSecurityContext
> ----------------------------------------------------------------------------
>
> Key: FLINK-28554
> URL: https://issues.apache.org/jira/browse/FLINK-28554
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.0.1
> Reporter: Tim
> Priority: Minor
> Labels: operator
>
> It would be nice if the operator would support using the
> "readOnlyRootFilesystem" setting via the operatorSecurityContext. When using
> the default operator template the operator won't be able to start when using
> this setting because the config files mounted in `/opt/flink/conf` are now
> (of course) also read-only.
> It would be nice if the default template would be written in such a way that
> it allows adding emptyDir volumes to /opt/flink/conf via the values.yaml.
> Which is not possible right now. Then the config files can remain editable by
> the operator while keeping the root filesystem read-only.
> I have successfully tried that in my branch (see:
> https://github.com/apache/flink-kubernetes-operator/compare/main...timsn:flink-kubernetes-operator:mount-single-flink-conf-files)
> which prepares the operator template.
> After this small change to the template it is possible add emptyDir volumes
> for the conf and tmp dirs and in the second step to enable the
> readOnlyRootFilesystem setting via the values.yaml
> values.yaml
> {code:java}
> [...]
> operatorVolumeMounts:
> create: true
> data:
> - name: flink-conf
> mountPath: /opt/flink/conf
> subPath: conf
> - name: flink-tmp
> mountPath: /tmp
> operatorVolumes:
> create: true
> data:
> - name: flink-conf
> emptyDir: {}
> - name: flink-tmp
> emptyDir: {}
> operatorSecurityContext:
> readOnlyRootFilesystem: true
> [...]{code}
> I think this could be a viable way to allow this security setting and I could
> turn this into a pull request if desired. What do you think about it? Or is
> there even a better way to achive this I didn't think about yet?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
