[
https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16712493#comment-16712493
]
Adrian Tanase commented on SPARK-26295:
---------------------------------------
[~vanzin] I'm not sure how it applies. I'd be happy to give that a shot,
except, as I also commented on that PR, I can't see how kubectl and kube
context are relevant in the client mode, where spark submit is being called
from docker, inside the driver pod.
If there is code that propagates the kube context along this path, I'm not
aware of it, would love to see some documentation:
{noformat}
laptop with kubectl and context > k apply -f spark-driver-client-mode.yaml ->
deployment starts 1 instance of driver pod in arbitrary namespace -> spark
submit from start.sh inside the docker container -> ... {noformat}
Also, I'd rather not make any assumptions about "implicit" configuration that
may vary from computer to computer. Ideally the yaml templates are self
sufficient (including config maps, env vars, etc) and, apart from your cluster
credentials, you shouldn't need anything else on your machine.
Thanks for looking at the issue.
> [K8S] serviceAccountName is not set in client mode
> --------------------------------------------------
>
> Key: SPARK-26295
> URL: https://issues.apache.org/jira/browse/SPARK-26295
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes
> Affects Versions: 2.4.0
> Reporter: Adrian Tanase
> Priority: Major
>
> When deploying spark apps in client mode (in my case from inside the driver
> pod), one can't specify the service account in accordance to the docs
> ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
> The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is
> most likely added in cluster mode only, which would be consistent with
> spark.kubernetes.authenticate.driver being the cluster mode prefix.
> We should either inject the service account specified by this property in the
> client mode pods, or specify an equivalent config:
> spark.kubernetes.authenticate.serviceAccountName
> This is the exception:
> {noformat}
> Message: Forbidden!Configured service account doesn't have access. Service
> account may have been revoked. pods "..." is forbidden: User
> "system:serviceaccount:mynamespace:default" cannot get pods in the namespace
> "mynamespace"{noformat}
> The expectation was to see the user `mynamespace:spark` based on my submit
> command.
> My current workaround is to create a clusterrolebinding with edit rights for
> the mynamespace:default account.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
