Security configurations

Configuring Flink for securing your workloads and the SQL Stream Builder.

SSB enables you to deploy the Flink SQL jobs in an easier, however you need to ensure the proper security of your workloads and SSB. This means that the following tools are available for you to secure your FlinkDeployment in your Kubernetes cluster setup.

Fernet key

When deploying SSB, you must specify a fernetKey, which will be used for encrypting the job definition for all Flink jobs started with SSB. The job definitions may include sensitive data, such as the DDL of tables that can contain username and password as part of the connector configuration or authentication information for connected storages. Sensitive information will be encrypted by the Fernet key.

The specified Fernet key is created as a Kubernetes Secret in the same namespace where the CSA Operator is installed, and will be automatically mounted by SSB and Flink pods.

User management

When installing SSB, a default user (admin/admin) is created automatically, and registration is enabled. You have the option to enable or disable user registration, and you can also modify the default user(s) based on your requirements.

Ingress

By default SSB does not set up any Ingress. This can be changed using the ingress configuration. The Ingress resource is created in the same namespace as SSB.

Ingress can be used to easily enable TLS/HTTPs to SSB, but it can also be used to set up authentication.

Storage configuration

It is recommended to add some kind of persistent data storage for Flink to be able to save checkpoints and savepoints. In most cases this is some kind of blob storage (for example, S3) that needs authentication to access.

You can use the storageConfiguration configuration to set up the storage for SSB. The configuration should be a valid flink-conf.yaml file, which can contain sensitive data, such as s3.access-key, s3.secret-key, and so on.

The Helm chart creates a Secret in the same namespace as SSB, and SSB creates a new Secret for each new Flink deployment created by the user.

Volume mounts

It is possible to mount existing volumes to SSB and all created Flink pods using the podVolumes and podVolumeMounts configurations. You need to ensure that these volumes exist in the namespace of the SSB and Flink pods that will be created by SSB.

The configurations can be used to mount ConfigMaps, Secret, or any kind of volumes to the SSB and Flink pods. For example, you can mount hive-site.xml, core-site.xml, krb5.conf and some keytabs as ConfigMaps and Secrets to be able to connect to Hive with SSB/Flink.

Kerberos configuration

To enable Kerberos authentication, you need to add the Hadoop dependencies to the CSA images as described in the Customize container images section.

After adding the dependencies, you need to ensure that the Hadoop configuration and krb5.conf files are added as a configmap using the following commands:

kubectl -n flink create configmap hadoop-conf --from-file core-site.xml=core-site.xml --from-file hdfs-site.xml=hdfs-site.xml
kubectl -n flink create configmap krb5-conf --from-file krb5.conf=krb5.conf

When the configmaps are in place, the following configuration properties should be updated in the values.yml file for the configuration files to be mounted on the containers:

podVolumes:
    create: true
    data:
      - name: hadoop-conf-volume
        configMap:
          name: hadoop-conf
      - name: krb5-conf-volume
        configMap:
          name: krb5-conf
  podVolumeMounts:
    create: true
    data:
      - name: hadoop-conf-volume
        mountPath: /etc/hadoop/conf
        readOnly: true
      - name: krb5-conf-volume
        mountPath: /etc/krb5.conf
        subPath: krb5.conf

After setting up images and configurations, you can use Streaming SQL Console to specify your keytabs in the Keytab Manager. Once the keytab is successfully validated, Kerberos will be automatically configured when a new job is deployed.