You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Stijn De Haes (Jira)" <ji...@apache.org> on 2020/10/08 13:49:00 UTC

[jira] [Commented] (SPARK-28360) The serviceAccountName configuration item does not take effect in client mode.

    [ https://issues.apache.org/jira/browse/SPARK-28360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17210229#comment-17210229 ] 

Stijn De Haes commented on SPARK-28360:
---------------------------------------

I think it makes sense. If you are running in client mode and are already in a pod in kubernetes. You can't change the service account used by the pod your are running in. I don't think this can be fixed, you can't change the serviceaccount of a pod that is already created. You can only specify it at creation time

> The serviceAccountName configuration item does not take effect in client mode.
> ------------------------------------------------------------------------------
>
>                 Key: SPARK-28360
>                 URL: https://issues.apache.org/jira/browse/SPARK-28360
>             Project: Spark
>          Issue Type: Improvement
>          Components: Kubernetes, Spark Core
>    Affects Versions: 3.1.0
>            Reporter: zhixingheyi_tian
>            Priority: Major
>
> From the configuration item description from the spark document: https://spark.apache.org/docs/latest/running-on-kubernetes.html
>  
> “spark.kubernetes.authenticate.driver.serviceAccountName default Service account that is used when running the driver pod. The driver pod uses this service account when requesting executor pods from the API server. Note that this cannot be specified alongside a CA cert file, client key file, client cert file, and/or OAuth token. In client mode, use spark.kubernetes.authenticate.serviceAccountName instead.”
> But in client mode. “spark.kubernetes.authenticate.serviceAccountName” does not take effect in fact.
> From the analysis of source codes, spark does not get this configuration item "spark.kubernetes.authenticate.serviceAccountName".
>  In Unit Tests, only cases for "spark.kubernetes.authenticate.driver.serviceAccountName".
> In kubernetes, a service account provides an identity for processes that run in a Pod. When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. 
>  Add a “spec.serviceAccountName” when creating a pod , can specify a custom service account.
>  So in client mode, If you run your driver inside a Kubernetes pod, the serviceaccount has already existed. If your application is not running inside a pod, no serviceaccount is needed at all.
> From my point of view, just modify the document and delete the "spark.kubernetes.authenticate.serviceAccountName" configuration item description. Because it doesn't work at the moment, it also doesn't need to work.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org