Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-26295

[K8S] serviceAccountName is not set in client mode

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Incomplete
    • 2.4.0
    • None
    • Kubernetes, Spark Core

    Description

      When deploying spark apps in client mode (in my case from inside the driver pod), one can't specify the service account in accordance to the docs (https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).

      The property spark.kubernetes.authenticate.driver.serviceAccountName is most likely added in cluster mode only, which would be consistent with spark.kubernetes.authenticate.driver being the cluster mode prefix.

      We should either inject the service account specified by this property in the client mode pods, or specify an equivalent config: spark.kubernetes.authenticate.serviceAccountName

       This is the exception:

      Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "..." is forbidden: User "system:serviceaccount:mynamespace:default" cannot get pods in the namespace "mynamespace"

      The expectation was to see the user mynamespace:spark based on my submit command.

      My current workaround is to create a clusterrolebinding with edit rights for the mynamespace:default account.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. SPARK-28360 The serviceAccountName configuration item does not take effect in client mode.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              tase Adrian Tanase
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: