[
https://issues.apache.org/jira/browse/FLINK-29131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17612621#comment-17612621
]
Dylan Meissner edited comment on FLINK-29131 at 10/4/22 3:14 PM:
-----------------------------------------------------------------
In the course of all these investigations, my team and I have drifted away from
using Helm to deploy operator and its webhook. It is a wonderful, low-friction
tool normally. But we had at least these problems with it:
* Webhook not reachable in EKS clusters using Calico networking
* Helm does not update CRDs after initially installing them
We used what we learned working with Helm to author our own Terraform modules
to apply on our many AWS EKS clusters.
Although not using Helm, I am in a good position to describe the work required
and offer usability suggestions to benefit future Helmers. I am happy to write
a proposal on the dev mailing list.
was (Author: dylanmei):
In the course of all these investigations, my team and I have drifted away from
using Helm to deploy operator and its webhook. It is a wonderful, low-friction
tool normally. But we had at least these problems with it:
* Webhook not reachable in EKS clusters using Calico networking
* Helm does not update CRDs after initially installing them
We used what we learned working with Helm to author our own Terraform modules
to apply on our many AWS EKS clusters.
Although not using Helm, I am in a good position to describe the work required
and offer usability suggestions for future Helmers. I am happy to write a
proposal on the dev mailing list.
> Kubernetes operator webhook can use hostPort
> --------------------------------------------
>
> Key: FLINK-29131
> URL: https://issues.apache.org/jira/browse/FLINK-29131
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: Dylan Meissner
> Assignee: Dylan Meissner
> Priority: Minor
>
> When running Flink operator on EKS cluster with Calico networking the
> control-plane (managed by AWS) cannot reach the webhook. Requests to create
> Flink resources fail with {_}Address is not allowed{_}.
> When the webhook listens on hostPort the requests to create Flink resources
> are successful. However, a pod security policy is generally required to allow
> webhook to listen on such ports.
> To support this scenario with the Helm chart make changes so that we can
> * Specify a hostPort value for the webhook
> * Name the port that the webhook listens on
> * Use the named port in the webhook service
> * Add a "use" pod security policy verb to cluster role
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
