Your Cloud, Your Rules: Ververica's Bring Your Own Cloud Deployment
When helm install
Ververica Platform, it automatically creates a Service Account and the corresponding role and role bindings. Is it possible to use my own service account and what roles does it need? If so, how?
Note: This section applies Ververica Platform 2.0-2.8.
Yes, it is possible. The remainder of the article uses the following variables:
- $vvpSA
: the name of the service account to be used in the VVP pod
- $flinkSA
: the name of the service account to be used in the Flink job pods
- $vvpNamespace
: the Kubernetes namespace where Ververica Platform runs
- $jobNamespace
: the Kubernetes namespace where Ververica Platform deployments run
In order to allow your VVP service account to create and manage job pods in $jobNamespace
, you need to run the following commands, which are otherwise done automatically during Ververica Platform installation when rbac.create
is set to true
.
# create a Kubernetes role "vvp-role" in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vvp-role
namespace: $jobNamespace
rules:
- apiGroups: [ "apps", "extensions" ]
resources: [ "deployments" ]
verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "" ]
resources: [ "configmaps", "pods", "services", "secrets", "serviceaccounts" ]
verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "roles", "rolebindings" ]
verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
EOF
# and bind it to the service account in $vvpNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vvp-rolebind
namespace: $jobNamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vvp-role
subjects:
- kind: ServiceAccount
name: $vvpSA
namespace: $vvpNamespace
EOF
If you want to use Kubernetes HA in Ververica Platform, make sure the service account in $jobNamespace
has the permissions to access Kubernetes ConfigMaps. To grant the permission:
# create a Kubernetes role in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: flink-role
namespace: $jobNamespace
rules:
- apiGroups: [ "" ]
resources: [ "configmaps"]
verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
EOF
# and bind it to the service account in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: flink-rolebind
namespace: $jobNamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: flink-role
subjects:
- kind: ServiceAccount
name: $flinkSA
namespace: $jobNamespace
EOF
Here is a breakdown of the required roles and why they are needed by the platform:
Resource | Permissions | Reason |
Deployments | [ "create", "delete", "get", "list", "patch", "update", "watch" ] |
Create, modify, delete and monitor Flink jobs |
ConfigMaps | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Store configurations for Flink jobs |
Pods | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Deploy Flink job containers |
Services | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Expose Flink’s REST API and JobManager/TaskManager services |
Secrets | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Store sensitive information (e.g., credentials for external systems that are used within the Flink jobs) |
ServiceAccounts | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Assign identities for Flink jobs to access other services |
Jobs | [ "create", "delete", "get", "list", "patch", "update", "watch" ] |
Create, modify, delete and monitor flink jobs |
Roles | [ "create", "delete", "get", "list", "patch", "update", "watch" ] |
|
RoleBindings | [ "create", "delete", "get", "list", "patch", "update", "watch" ] | Bind roles to service accounts to grant permissions |
To tell Ververica Platform to use your service account, create a Helm Values file vvp-sa.yaml
, or overwrite the below changes into the existing Values file:
rbac:
create: false
serviceAccountName: $vvpSA
then run:
helm upgrade --install vvp ververica/ververica-platform --version <version>
--namespace $vvpNamespace
--values vvp-sa.yaml
... <any other options/Values files you need>
With the service account created in $jobNamespace
, you can configure now Ververica Platform deployments to use it by adding the following into the deployment spec:
# set the service account in deployment
spec:
template:
spec:
kubernetes:
jobManagerPodTemplate:
spec:
serviceAccountName: $flinkSA
taskManagerPodTemplate:
spec:
serviceAccountName: $flinkSA
How to Access Amazon S3 via IRSA on Ververica Platform running on AWS EKS