How to Use My Own Service Account in Ververica Platform

Question

When helm install Ververica Platform, it automatically creates a Service Account and the corresponding role and role bindings. Is it possible to use my own service account and what roles does it need? If so, how?

Answer

Note: This section applies Ververica Platform 2.0-2.8.

Yes, it is possible. The remainder of the article uses the following variables:

- $vvpSA: the name of the service account to be used in the VVP pod
- $flinkSA: the name of the service account to be used in the Flink job pods
- $vvpNamespace: the Kubernetes namespace where Ververica Platform runs
- $jobNamespace: the Kubernetes namespace where Ververica Platform deployments run

Configure Role/RoleBinding for Service Account

In order to allow your VVP service account to create and manage job pods in $jobNamespace, you need to run the following commands, which are otherwise done automatically during Ververica Platform installation when rbac.create is set to true.

# create a Kubernetes role "vvp-role" in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: vvp-role
  namespace: $jobNamespace
rules:
- apiGroups: [ "apps", "extensions" ]
  resources: [ "deployments" ]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "" ]
  resources: [ "configmaps", "pods", "services", "secrets", "serviceaccounts" ]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "batch" ]
  resources: [ "jobs" ]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
  resources: [ "roles", "rolebindings" ]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
EOF

# and bind it to the service account in $vvpNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vvp-rolebind
  namespace: $jobNamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: vvp-role
subjects:
- kind: ServiceAccount
  name: $vvpSA
  namespace: $vvpNamespace
EOF

If you want to use Kubernetes HA in Ververica Platform, make sure the service account in $jobNamespace has the permissions to access Kubernetes ConfigMaps. To grant the permission:

# create a Kubernetes role in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: flink-role
  namespace: $jobNamespace
rules:
- apiGroups: [ "" ]
  resources: [ "configmaps"]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
EOF

# and bind it to the service account in $jobNamespace
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: flink-rolebind
  namespace: $jobNamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: flink-role
subjects:
- kind: ServiceAccount
  name: $flinkSA
  namespace: $jobNamespace
EOF

Here is a breakdown of the required roles and why they are needed by the platform:

Resource Permissions Reason
Deployments [ "create", "delete", "get", "list", "patch", "update", "watch" ]

Create, modify, delete and monitor Flink jobs

ConfigMaps [ "create", "delete", "get", "list", "patch", "update", "watch" ] Store configurations for Flink jobs
Pods [ "create", "delete", "get", "list", "patch", "update", "watch" ] Deploy Flink job containers
Services [ "create", "delete", "get", "list", "patch", "update", "watch" ] Expose Flink’s REST API and JobManager/TaskManager services
Secrets [ "create", "delete", "get", "list", "patch", "update", "watch" ] Store sensitive information (e.g., credentials for external systems that are used within the Flink jobs)
ServiceAccounts [ "create", "delete", "get", "list", "patch", "update", "watch" ] Assign identities for Flink jobs to access other services
Jobs [ "create", "delete", "get", "list", "patch", "update", "watch" ]

Create, modify, delete and monitor flink jobs

Roles [ "create", "delete", "get", "list", "patch", "update", "watch" ]
  • Manage permissions dynamically within a namespace
  • Create additional permissions for accessing external resources (e.g. S3, databases, etc.)
  • Define granular level permissions within the namespace
RoleBindings [ "create", "delete", "get", "list", "patch", "update", "watch" ] Bind roles to service accounts to grant permissions

Configure Ververica Platform to Use Your Service Account

To tell Ververica Platform to use your service account, create a Helm Values file vvp-sa.yaml, or overwrite the below changes into the existing Values file:

rbac:
  create: false
  serviceAccountName: $vvpSA

then run:

helm upgrade --install vvp ververica/ververica-platform --version <version>
  --namespace $vvpNamespace
  --values vvp-sa.yaml
  ... <any other options/Values files you need>

Configure Ververica Platform Deployments to Use Your Service Account

With the service account created in $jobNamespace, you can configure now Ververica Platform deployments to use it by adding the following into the deployment spec:

# set the service account in deployment
spec:
  template:
    spec:
      kubernetes:
        jobManagerPodTemplate:
          spec:
            serviceAccountName: $flinkSA
        taskManagerPodTemplate:
          spec:
            serviceAccountName: $flinkSA

Related Information

How to Access Amazon S3 via IRSA on Ververica Platform running on AWS EKS