[
https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adrian Tanase updated SPARK-26295:
----------------------------------
Description:
When deploying spark apps in client mode (in my case from inside the driver
pod), one can't specify the service account in accordance to the docs
([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is
most likely added in cluster mode only, which would be consistent with
{{spark.kubernetes.authenticate.driver}} being the cluster mode prefix.
We should either inject the service account specified by this property in the
client mode pods, or specify an equivalent config:
{{spark.kubernetes.authenticate.serviceAccountName}}
This is the exception:
{noformat}
Message: Forbidden!Configured service account doesn't have access. Service
account may have been revoked. pods "..." is forbidden: User
"system:serviceaccount:mynamespace:default" cannot get pods in the namespace
"mynamespace"{noformat}
The expectation was to see the user {{mynamespace:spark}} based on my submit
command.
My current workaround is to create a clusterrolebinding with edit rights for
the mynamespace:default account.
was:
When deploying spark apps in client mode (in my case from inside the driver
pod), one can't specify the service account in accordance to the docs
([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is
most likely added in cluster mode only, which would be consistent with
spark.kubernetes.authenticate.driver being the cluster mode prefix.
We should either inject the service account specified by this property in the
client mode pods, or specify an equivalent config:
spark.kubernetes.authenticate.serviceAccountName
This is the exception:
{noformat}
Message: Forbidden!Configured service account doesn't have access. Service
account may have been revoked. pods "..." is forbidden: User
"system:serviceaccount:mynamespace:default" cannot get pods in the namespace
"mynamespace"{noformat}
The expectation was to see the user `mynamespace:spark` based on my submit
command.
My current workaround is to create a clusterrolebinding with edit rights for
the mynamespace:default account.
> [K8S] serviceAccountName is not set in client mode
> --------------------------------------------------
>
> Key: SPARK-26295
> URL: https://issues.apache.org/jira/browse/SPARK-26295
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes
> Affects Versions: 2.4.0
> Reporter: Adrian Tanase
> Priority: Major
>
> When deploying spark apps in client mode (in my case from inside the driver
> pod), one can't specify the service account in accordance to the docs
> ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
> The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is
> most likely added in cluster mode only, which would be consistent with
> {{spark.kubernetes.authenticate.driver}} being the cluster mode prefix.
> We should either inject the service account specified by this property in the
> client mode pods, or specify an equivalent config:
> {{spark.kubernetes.authenticate.serviceAccountName}}
> This is the exception:
> {noformat}
> Message: Forbidden!Configured service account doesn't have access. Service
> account may have been revoked. pods "..." is forbidden: User
> "system:serviceaccount:mynamespace:default" cannot get pods in the namespace
> "mynamespace"{noformat}
> The expectation was to see the user {{mynamespace:spark}} based on my submit
> command.
> My current workaround is to create a clusterrolebinding with edit rights for
> the mynamespace:default account.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
