[jira] [Updated] (FLINK-35338) Enable FS Plugins as non-root

Mon, 13 May 2024 04:27:03 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-35338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rasmus Thygesen updated FLINK-35338:
------------------------------------
    Affects Version/s: 1.8.0

> Enable FS Plugins as non-root
> -----------------------------
>
>                 Key: FLINK-35338
>                 URL: https://issues.apache.org/jira/browse/FLINK-35338
>             Project: Flink
>          Issue Type: New Feature
>          Components: Kubernetes Operator
>    Affects Versions: 1.8.0
>            Reporter: Rasmus Thygesen
>            Priority: Not a Priority
>
> [This pull 
> request|https://github.com/apache/flink-kubernetes-operator/pull/609] was 
> made to allow enabling FS plugins on the Flink Kubernetes Operator which 
> allows reading a jar for a session job on various file systems. It normally 
> works well, but we are running our cluster with ** *[Restricted Pod 
> Security|https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted]*
>  ** which among other things mean the flink operator pod is configured to use 
> *readOnlyRootFilesystem* and *runAsNonRoot* which means we are not allowed to 
> write to our plugins directory.
>  
> We have tried using *operatorVolumes* and *operatorVolumeMounts* to mount 
> */opt/flink/plugins* which would allow us to write to it, but that overrides 
> all the pre-installed plugins. When all the pre-installed plugins are removed 
> before startup, the operator sees the directory for the plugin we are trying 
> to install, but does not find a jar file inside the directory and therefore 
> complains. We think that when the pre-installed plugins are there, the 
> operator takes a bit longer before it starts reading the new plugin and 
> therefore there is enough time to download the new plugin with curl.
>  
> We are open to suggestions for how we can solve this issue while keeping 
> *readOnlyRootFilesystem* and {*}runAsNonRoot{*}. We are considering a 
> solution where we mount a volume and download all the pre-installed plugins 
> as well as any extra plugins we need through an init container and we propose 
> a new value to the Flink Operator Helm chart



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to