spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adrian Tanase (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SPARK-26295) [K8S] serviceAccountName is not set in client mode
Date Thu, 06 Dec 2018 12:31:00 GMT

     [ https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Adrian Tanase updated SPARK-26295:
----------------------------------
    Description: 
When deploying spark apps in client mode (in my case from inside the driver pod), one can't
specify the service account in accordance to the docs ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]

The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is most likely added
in cluster mode only, which would be consistent with spark.kubernetes.authenticate.driver
being the cluster mode prefix.

We should either inject the service account specified by this property in the client mode
pods, or specify an equivalent config: spark.kubernetes.authenticate.serviceAccountName

 This is the exception:
{noformat}
Message: Forbidden!Configured service account doesn't have access. Service account may have
been revoked. pods "..." is forbidden: User "system:serviceaccount:mynamespace:default" cannot
get pods in the namespace "mynamespace"{noformat}
My current workaround is to create a clusterrolebinding with edit rights for the mynamespace:default
account.

  was:
When deploying spark apps in client mode (in my case from inside the driver pod), one can't
specify the service account in accordance to the docs ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]

The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is most likely added
in cluster mode only, which would be consistent with spark.kubernetes.authenticate.driver
being the cluster mode prefix.

We should either inject the service account specified by this property in the client mode
pods, or specify an equivalent config: spark.kubernetes.authenticate.serviceAccountName

 This is the exception:

{{Message: Forbidden!Configured service account doesn't have access. Service account may have
been revoked. pods "..." is forbidden: User "system:serviceaccount:mynamespace:default" cannot
get pods in the namespace "mynamespace"}}

My current workaround is to create a clusterrolebinding with edit rights for the mynamespace:default
account.


> [K8S] serviceAccountName is not set in client mode
> --------------------------------------------------
>
>                 Key: SPARK-26295
>                 URL: https://issues.apache.org/jira/browse/SPARK-26295
>             Project: Spark
>          Issue Type: Bug
>          Components: Kubernetes
>    Affects Versions: 2.4.0
>            Reporter: Adrian Tanase
>            Priority: Major
>
> When deploying spark apps in client mode (in my case from inside the driver pod), one
can't specify the service account in accordance to the docs ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
> The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is most likely
added in cluster mode only, which would be consistent with spark.kubernetes.authenticate.driver
being the cluster mode prefix.
> We should either inject the service account specified by this property in the client
mode pods, or specify an equivalent config: spark.kubernetes.authenticate.serviceAccountName
>  This is the exception:
> {noformat}
> Message: Forbidden!Configured service account doesn't have access. Service account may
have been revoked. pods "..." is forbidden: User "system:serviceaccount:mynamespace:default"
cannot get pods in the namespace "mynamespace"{noformat}
> My current workaround is to create a clusterrolebinding with edit rights for the mynamespace:default
account.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message