[SPARK-27872][K8s] Fix executor service account inconsistency #24748
Conversation
|
jenkins test this pelase |
|
Test build #105980 has finished for PR 24748 at commit
|
|
Kubernetes integration test starting |
|
@shaneknapp I think it would be good to run tests using the rbac file available to make sure we cover cases like this. Thoughts? |
|
@erikerlandson @liyinan926 @srowen pls review. Should we backport it to branch 2.4? |
|
Kubernetes integration test starting |
|
Kubernetes integration test status success |
|
Test build #105981 has finished for PR 24748 at commit
|
|
Kubernetes integration test status success |
|
I don't know much about the context here, but would someone really need separate service accounts for driver and executor? |
|
@srowen the idea so far was to have executors get assigned the default one (independently of the driver sa), assuming that the default account has the least privileges. Executors dont create resources. We discussed this a bit at the User Group Meeting and seems a viable option to make it configurable in case you dont have to comply with the driver sa. I will wait to see what the others have to say, I am ok if we dont make it configurable. |
|
One possibility would be constraining to two options: either "default" or "whatever the driver's SA is", which I believe solves the original issue. |
|
+1 on @erikerlandson's suggestion. The only question is how do we know when to use the |
|
so with the driver sa, the driver can still do stuff? that doesn't sound very secure as the driver is still running user/app code? |
|
@felixcheung that is true yet the driver needs to create certain resources so it needs some privileges. |
|
@liyinan926 the initial PR was following @erikerlandson suggestion to make it configurable, but
If there is no service account defined with the config property then we dont set anything which means picking up |
|
Kubernetes integration test starting |
|
Test build #106109 has finished for PR 24748 at commit
|
|
Kubernetes integration test status success |
|
@erikerlandson @felixcheung pls review I made the modifications needed. |
|
My take on "driver's SA or |
|
@erikerlandson I am not sure we can assume default has less privileges as before, user may assign it any kind of privileges. I dont see any benefit keeping the old behavior. It would be good to have clear semantics. @liyinan926 what's ur take? |
|
The proposed behavior of "default executor SA to the driver SA" and default driver SA to |
|
@erikerlandson I see ok. Whatever works I dont mind let me know if this can be merged otherwise I can add a flag. ;) |
|
LGTM |
|
@erikerlandson could you merge it pls if there are no objections from @liyinan926 or @felixcheung ? |
|
@erikerlandson gentle ping :) |
|
@srowen do you think I can get this merged, Erik is off until the 24th. |
|
Merged to master |
## What changes were proposed in this pull request? Fixes the service account inconsistency that breaks pull secrets. It gives the option to the user to setup a specific service account for the executors if he has to (via `spark.kubernetes.authenticate.executor.serviceAccountName`). Defaults to the driver's one. We are not supporting special authentication credentials for the executors with this PR. ## How was this patch tested? Tested manually by launching a Spark job exercising the introduced settings. Added a new integration tests for this fix. Closes apache#24748 from skonto/fix_executor_sa. Authored-by: Stavros Kontopoulos <[email protected]> Signed-off-by: Sean Owen <[email protected]>
Fixes the service account inconsistency that breaks pull secrets. It gives the option to the user to setup a specific service account for the executors if he has to (via `spark.kubernetes.authenticate.executor.serviceAccountName`). Defaults to the driver's one. We are not supporting special authentication credentials for the executors with this PR. Tested manually by launching a Spark job exercising the introduced settings. Added a new integration tests for this fix. Closes apache#24748 from skonto/fix_executor_sa. Authored-by: Stavros Kontopoulos <[email protected]> Signed-off-by: Sean Owen <[email protected]> (cherry picked from commit 7912ab8)
### What changes were proposed in this pull request? Similar patch to #24748 but applied to the branch-2.4. Backporting the fix to releases 2.4.x. Please let me know if I missed some step; I haven't contributed to spark in a long time. Closes #29844 from nssalian/patch-SPARK-27872. Authored-by: nssalian <[email protected]> Signed-off-by: Erik Erlandson <[email protected]>
### What changes were proposed in this pull request? Similar patch to #24748 but applied to the branch-2.4. Backporting the fix to releases 2.4.x. Closes #29877 from nssalian/SPARK-27872. Authored-by: nssalian <[email protected]> Signed-off-by: Dongjoon Hyun <[email protected]>
|
@CloudFlow @RayRoestenburg @yuchaoran2011 : can latest On https://cloudflow.io/docs/dev/administration/installing-spark-operator.html (https://archive.ph/wip/Qa1Vn) it says
Is it still the case that the Resources
|
|
Hi @SemanticBeeng, we are in the process of releasing Cloudflow 2.1.0, which is taking a different approach for Spark integration. We have tested that this approach does work with the latest version of Spark operator and with Spark 3.1.1. Please see the cloudflow-contrib docs for the new approach: https://lightbend.github.io/cloudflow-contrib/docs/0.0.4/index.html (repo is here: https://github.com/lightbend/cloudflow-contrib). |
What changes were proposed in this pull request?
Fixes the service account inconsistency that breaks pull secrets. It gives the option to the user to setup a specific service account for the executors if he has to
(via
spark.kubernetes.authenticate.executor.serviceAccountName). Defaults to the driver's one.We are not supporting special authentication credentials for the executors with this PR.
How was this patch tested?
Tested manually by launching a Spark job exercising the introduced settings.
Added a new integration tests for this fix.