[
https://issues.apache.org/jira/browse/SPARK-28360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17210229#comment-17210229
]
Stijn De Haes commented on SPARK-28360:
---------------------------------------
I think it makes sense. If you are running in client mode and are already in a
pod in kubernetes. You can't change the service account used by the pod your
are running in. I don't think this can be fixed, you can't change the
serviceaccount of a pod that is already created. You can only specify it at
creation time
> The serviceAccountName configuration item does not take effect in client mode.
> ------------------------------------------------------------------------------
>
> Key: SPARK-28360
> URL: https://issues.apache.org/jira/browse/SPARK-28360
> Project: Spark
> Issue Type: Improvement
> Components: Kubernetes, Spark Core
> Affects Versions: 3.1.0
> Reporter: zhixingheyi_tian
> Priority: Major
>
> From the configuration item description from the spark document:
> https://spark.apache.org/docs/latest/running-on-kubernetes.html
>
> “spark.kubernetes.authenticate.driver.serviceAccountName default Service
> account that is used when running the driver pod. The driver pod uses this
> service account when requesting executor pods from the API server. Note that
> this cannot be specified alongside a CA cert file, client key file, client
> cert file, and/or OAuth token. In client mode, use
> spark.kubernetes.authenticate.serviceAccountName instead.”
> But in client mode. “spark.kubernetes.authenticate.serviceAccountName” does
> not take effect in fact.
> From the analysis of source codes, spark does not get this configuration item
> "spark.kubernetes.authenticate.serviceAccountName".
> In Unit Tests, only cases for
> "spark.kubernetes.authenticate.driver.serviceAccountName".
> In kubernetes, a service account provides an identity for processes that run
> in a Pod. When you create a pod, if you do not specify a service account, it
> is automatically assigned the default service account in the same namespace.
> Add a “spec.serviceAccountName” when creating a pod , can specify a custom
> service account.
> So in client mode, If you run your driver inside a Kubernetes pod, the
> serviceaccount has already existed. If your application is not running inside
> a pod, no serviceaccount is needed at all.
> From my point of view, just modify the document and delete the
> "spark.kubernetes.authenticate.serviceAccountName" configuration item
> description. Because it doesn't work at the moment, it also doesn't need to
> work.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
