You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Mathew Wicks (Jira)" <ji...@apache.org> on 2020/01/28 03:14:00 UTC
[jira] [Commented] (SPARK-26295) [K8S] serviceAccountName is not
set in client mode
[ https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024838#comment-17024838 ]
Mathew Wicks commented on SPARK-26295:
--------------------------------------
I am still encountering this issue on 2.4.4, (and given SPARK-28360, this issue likely also occurs in Spark 3.0's current preview, but I haven't verified this).
Can anyone take a look at this [~dongjoon]?
The issue is effectively that `spark.kubernetes.authenticate.driver.serviceAccountName` and `spark.kubernetes.authenticate.serviceAccountName` are ignored in client mode with K8S master. No matter what you specify, the default service account for `spark.kubernetes.namespace` namespace is used
> [K8S] serviceAccountName is not set in client mode
> --------------------------------------------------
>
> Key: SPARK-26295
> URL: https://issues.apache.org/jira/browse/SPARK-26295
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes
> Affects Versions: 2.4.0
> Reporter: Adrian Tanase
> Priority: Major
>
> When deploying spark apps in client mode (in my case from inside the driver pod), one can't specify the service account in accordance to the docs ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).]
> The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is most likely added in cluster mode only, which would be consistent with {{spark.kubernetes.authenticate.driver}} being the cluster mode prefix.
> We should either inject the service account specified by this property in the client mode pods, or specify an equivalent config: {{spark.kubernetes.authenticate.serviceAccountName}}
> This is the exception:
> {noformat}
> Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "..." is forbidden: User "system:serviceaccount:mynamespace:default" cannot get pods in the namespace "mynamespace"{noformat}
> The expectation was to see the user {{mynamespace:spark}} based on my submit command.
> My current workaround is to create a clusterrolebinding with edit rights for the mynamespace:default account.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org