Flink JobManager service account security requirements for Native Kubernetes - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Flink JobManager service account security requirements for Native Kubernetes

The Flink JobManager pod uses a Kubernetes service account to access the Kubernetes API server to create and watch TaskManager pods. JobManager service account must have appropriate permissions to create/delete TaskManager pods and allow the TaskManager to watch leader ConfigMaps to retrieve the address of JobManager and ResourceManager in your cluster.

The following rules apply to this service account.

rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - "*"
- apiGroups:
  - "apps"
  resources:
  - deployments
  verbs:
  - "*"