[
https://issues.apache.org/jira/browse/SPARK-27872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stavros Kontopoulos updated SPARK-27872:
----------------------------------------
Description:
Driver and executors use different service accounts in case the driver has one
setup other than the default:
[https://gist.github.com/skonto/9beb5afa2ec4659ba563cbb0a8b9c4dd]
This makes the executor pods fail when the user links a service account with a
secret:
[https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account]
as executors will not use the driver's service account and will not be able
to get the secret in order to pull the related image.
I am not sure what is the assumption here for using the default account for
executors, probably because of the fact that this account is limited (btw
executors dont create resources)? This is an inconsistency that could be worked
around with the pod template feature in Spark 3.0.0 but it breaks pull secrets.
was:
Driver and executors use different service accounts in case the driver has
provided by the user, other than the default:
[https://gist.github.com/skonto/9beb5afa2ec4659ba563cbb0a8b9c4dd]
This makes the executor pods fail when the user links a service account with a
secret:
[https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account]
as executors will not use the driver's service account and will not be able
to get the secret in order to pull the related image.
I am not sure what is the assumption here for using the default account for
executors, probably because of the fact that this account is limited (btw
executors dont create resources)? This is an inconsistency that could be worked
around with the pod template feature in Spark 3.0.0 but it breaks pull secrets.
> Driver and executors use a different service acount
> ---------------------------------------------------
>
> Key: SPARK-27872
> URL: https://issues.apache.org/jira/browse/SPARK-27872
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes
> Affects Versions: 3.0.0, 2.4.3
> Reporter: Stavros Kontopoulos
> Priority: Major
>
> Driver and executors use different service accounts in case the driver has
> one setup other than the default:
> [https://gist.github.com/skonto/9beb5afa2ec4659ba563cbb0a8b9c4dd]
> This makes the executor pods fail when the user links a service account with
> a secret:
> [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account]
> as executors will not use the driver's service account and will not be able
> to get the secret in order to pull the related image.
> I am not sure what is the assumption here for using the default account for
> executors, probably because of the fact that this account is limited (btw
> executors dont create resources)? This is an inconsistency that could be
> worked around with the pod template feature in Spark 3.0.0 but it breaks pull
> secrets.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
