You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Stavros Kontopoulos (JIRA)" <ji...@apache.org> on 2019/07/12 10:59:00 UTC
[jira] [Comment Edited] (SPARK-27997) kubernetes client token
expired
[ https://issues.apache.org/jira/browse/SPARK-27997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883714#comment-16883714 ]
Stavros Kontopoulos edited comment on SPARK-27997 at 7/12/19 10:58 AM:
-----------------------------------------------------------------------
This is interesting. With K8s 1.16 sa tokens change as well:
[https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md]
[https://thenewstack.io/no-more-forever-tokens-changes-in-identity-management-for-kubernetes|https://thenewstack.io/no-more-forever-tokens-changes-in-identity-management-for-kubernetes/]
Probably k8s client libs will handle this case, but we should keep an eye on this, in case we need to provide support eg. via a config (renew or not to renew).
Another question is what do you do with key rotations and long running jobs: [https://github.com/kubernetes/kubernetes/issues/20165]
Back to the original ticket. [https://github.com/fabric8io/kubernetes-client/pull/1339] RotatingOAuthTokenProvider was added recently to fabric8io and its quite simple to implement a custom one. The problem is that this depends on the service that will implement that interface. I am not aware of what we should test against. We could add support via reflection and fail if we find that no class implements it but the user has enabled rotation. [~erikerlandson] thoughts?
was (Author: skonto):
This is interesting. With K8s 1.16 sa tokens change as well:
[https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md]
[https://thenewstack.io/no-more-forever-tokens-changes-in-identity-management-for-kubernetes|https://thenewstack.io/no-more-forever-tokens-changes-in-identity-management-for-kubernetes/]
Probably k8s client libs will handle this case, but we should keep an eye on this, in case we need to provide support eg. via a config (renew or not to renew).
Another question is what do you do with key rotations and long running jobs: [https://github.com/kubernetes/kubernetes/issues/20165]
Back to the original ticket. [https://github.com/fabric8io/kubernetes-client/pull/1339] RotatingOAuthTokenProvider was added recently to fabric8io and its quite simple to implement a custom one. The problem is that this dependents on the service that will implement that interface. I am not aware of what we should test against. We could add support via reflection and fail if we find no class implements it but the user enabled it. [~erikerlandson] thoughts?
> kubernetes client token expired
> --------------------------------
>
> Key: SPARK-27997
> URL: https://issues.apache.org/jira/browse/SPARK-27997
> Project: Spark
> Issue Type: Improvement
> Components: Kubernetes
> Affects Versions: 3.0.0
> Reporter: Henry Yu
> Priority: Major
>
> Hi ,
> when I try to submit spark to k8s in cluster mode, I need an authtoken to talk with k8s.
> unfortunately, many cloud provider provide token and expired with 10-15 mins. so we need to fresh this token.
> client mode is event worse, because scheduler is created on submit process.
> Should I also make a pr on this ? I fix it by adding
> RotatingOAuthTokenProvider and some configuration.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org