Question
When `helm install` Ververica Platform, it automatically creates a Service Account and the corresponding role and role bindings. Is it possible to use my own service account? If so, how?
Answer
Note: This section applies Ververica Platform 2.0-2.8.
Yes, it is possible. The remainder of the article uses the following variables:
- `$vvpSA`: the name of the service account to be used in the VVP pod
- `$flinkSA`: the name of the service account to be used in the Flink job pods
- `$vvpNamespace`: the Kubernetes namespace where Ververica Platform runs
- `$jobNamespace`: the Kubernetes namespace where Ververica Platform deployments run
Configure Role/RoleBinding for Service Account
In order to allow your VVP service account to create and manage job pods in `$jobNamespace`, you need to run the following commands, which are otherwise done automatically during Ververica Platform installation when `rbac.create` is set to `true`.
# create a Kubernetes role "vvp-role" in $jobNamespace cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: vvp-role namespace: $jobNamespace rules: - apiGroups: [ "apps", "extensions" ] resources: [ "deployments" ] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] - apiGroups: [ "" ] resources: [ "configmaps", "pods", "services", "secrets", "serviceaccounts" ] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] - apiGroups: [ "batch" ] resources: [ "jobs" ] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] - apiGroups: [ "rbac.authorization.k8s.io" ] resources: [ "roles", "rolebindings" ] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] EOF # and bind it to the service account in $vvpNamespace cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: vvp-rolebind namespace: $jobNamespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: vvp-role subjects: - kind: ServiceAccount name: $vvpSA namespace: $vvpNamespace EOF
If you want to use Kubernetes HA in Ververica Platform, make sure the service account in `$jobNamespace` has the permissions to access Kubernetes ConfigMaps. To grant the permission:
# create a Kubernetes role in $jobNamespace cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: flink-role namespace: $jobNamespace rules: - apiGroups: [ "" ] resources: [ "configmaps"] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] EOF # and bind it to the service account in $jobNamespace cat << EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: flink-rolebind namespace: $jobNamespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: flink-role subjects: - kind: ServiceAccount name: $flinkSA namespace: $jobNamespace EOF
Configure Ververica Platform to Use Your Service Account
To tell Ververica Platform to use your service account, create a Helm Values file `vvp-sa.yaml`, or overwrite the below changes into the existing Values file:
rbac:
create: false
serviceAccountName: $vvpSA
then run:
helm upgrade --install vvp ververica/ververica-platform --version <version>
--namespace $vvpNamespace
--values vvp-sa.yaml
... <any other options/Values files you need>
Configure Ververica Platform Deployments to Use Your Service Account
With the service account created in `$jobNamespace`, you can configure now Ververica Platform deployments to use it by adding the following into the deployment spec:
# set the service account in deployment spec: template: spec: kubernetes: jobManagerPodTemplate: spec: serviceAccountName: $flinkSA taskManagerPodTemplate: spec: serviceAccountName: $flinkSA
Related Information
How to Access Amazon S3 via IRSA on Ververica Platform running on AWS EKS