K
Q

Spark Kubernetes

11/25/2019

I m trying to run Spark on Kubernetes as Scheduler.

It works fine when running from outside of kubernetes cluster using kubectl proxy.

spark-shell --master k8s://http://localhost:8001 --conf spark.kubernetes.container.image=abdoumediaoptimise/spark

But whenever we try running spark-shell or spark-submit from within a pod directly , it never works (even by following rbac from spark docs with : --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark . We have authorization execution exception:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes/api/v1/namespaces/default/pods?labelSelector=spark-app-selector%3Dspark-application-1574714537374,spark-role%3Dexecutor. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:default:default" cannot list resource "pods" in API group "" in the namespace "default"

Any idea how to Launch Spark from within pods ? this actually makes using spark k8s:// with notebooks impossible

Spark RBAC YAML file

apiVersion: v1
kind: ServiceAccount
metadata:
  name:  spark
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: spark
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
  - kind: ServiceAccount
    name: spark
    namespace: default
-- Abba
apache-spark
kubernetes

Similar Questions

Storage strategy to deploy Wordpress in Kubernetes
Why Won't This Pod Validate Against This PSP?
Google Kubernetes Engine - From External IP to Cloud Endpoint Configuration
How can I add a custom config file to the Voyager HAProxy ingress?

1 Answer

11/26/2019

spark.kubernetes.authenticate.driver.serviceAccountName - is the ServiceAccount name which Spark Driver's Kubernetes client uses to authenticate to Kubernetes API to request executors.

You are looking for spark.kubernetes.authenticate.submission.*, which are used to configure Kubernetes client of SparkSubmit application to authenticate to the Kubernetes API to request Service, ConfigMap and Driver Pod.

To make it work configure your Pod with the ServiceAccount of interest: spec.serviceAccountName: <your-SA>. After that use the mounted to the /var/run/secrets/kubernetes.io/serviceaccount directory files inside a Pod to configure the spark.kubernetes.authenticate.submission.* options.

-- Aliaksandr Sasnouskikh
Source: StackOverflow