[jira] [Commented] (SPARK-26295) [K8S] serviceAccountName is not set in client mode

Thu, 06 Dec 2018 05:46:48 -0800 


    [ 
https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16711462#comment-16711462
 ] 

Adrian Tanase commented on SPARK-26295:
---------------------------------------

I would be happy to give it a shot with a bit of guidance, as I can't easily 
figure out where this should slot in, given the many classes under the 
*org.apache.spark.deploy.k8s* package.

Also, I've just seen the docs calling out this configuration 
(*spark.kubernetes.authenticate.serviceAccountName*) but I don't think it's 
implemented, or we have a bug.

 

> [K8S] serviceAccountName is not set in client mode
> --------------------------------------------------
>
>                 Key: SPARK-26295
>                 URL: https://issues.apache.org/jira/browse/SPARK-26295
>             Project: Spark
>          Issue Type: Bug
>          Components: Kubernetes
>    Affects Versions: 2.4.0
>            Reporter: Adrian Tanase
>            Priority: Major
>
> When deploying spark apps in client mode (in my case from inside the driver 
> pod), one can't specify the service account in accordance to the docs 
> ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
> The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is 
> most likely added in cluster mode only, which would be consistent with 
> spark.kubernetes.authenticate.driver being the cluster mode prefix.
> We should either inject the service account specified by this property in the 
> client mode pods, or specify an equivalent config: 
> spark.kubernetes.authenticate.serviceAccountName
>  This is the exception:
> {noformat}
> Message: Forbidden!Configured service account doesn't have access. Service 
> account may have been revoked. pods "..." is forbidden: User 
> "system:serviceaccount:mynamespace:default" cannot get pods in the namespace 
> "mynamespace"{noformat}
> The expectation was to see the user `mynamespace:spark` based on my submit 
> command.
> My current workaround is to create a clusterrolebinding with edit rights for 
> the mynamespace:default account.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to