K
Q

Apache Spark spark-submit k8s API https ERROR

8/28/2020

Spark version :2.4.4

k8s version : 1.18

I have a Spark and a k8s cluster.

I followed Spark documentation : https://spark.apache.org/docs/2.4.4/running-on-kubernetes.html

When I submit a job with an HTTP proxy on k8s : everything is ok.

However with the native HTTPS API on k8s I got this error :

Previously I had to import k8s API cert to my master Spark (keytool).

internal.WatchConnectionManager: Exec Failure: HTTP 403, Status: 403 - pods "spark-pi-1598541432880-driver" is forbidden: User "system:anonymous" cannot watch resource "pods" in API group "" in the namespace "default"
java.net.ProtocolException: Expected HTTP 101 response but was '403 Forbidden'
	at okhttp3.internal.ws.RealWebSocket.checkResponse(RealWebSocket.java:216)
	at okhttp3.internal.ws.RealWebSocket$2.onResponse(RealWebSocket.java:183)
	at okhttp3.RealCall$AsyncCall.execute(RealCall.java:141)
	at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

This is curious because there is no user anonymous.

I already try to add an 'anonymous' user to k8s but it has no effect.

If I try without import the API cert I got this error : 

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)

My command to submit my job : 

-bash-4.2$ spark-submit --master k8s://https://ip:port  --deploy-mode cluster --name spark-pi --class org.apache.spark.examples.SparkPi --conf spark.executor.instances=3 --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark --conf spark.kubernetes.container.image=docker.io/spawnxx/spark:fink-test-2 hdfs://hdfs_ip/user/sacha.pateyron/spark-examples_2.11-2.4.4.jar 1000

K8s https API is not supported natively by Apache Spark (so I must import the cert) ?

Any idea ?

-- sacha.p
apache-spark
api
https
java
kubernetes

Similar Questions

AKS or ACS with Kubernetes Orchestrator for new projects
Kafka on Kubernetes - UNKNOWN_TOPIC_OR_PARTITION and LEADER_NOT_AVAILABLE error
Kubctl accessing a Kubernetes Cluster created with Private IP
Connection Refused to Kubernetes Service
In k8s, how to let the nodes choose by itself what kind of pods they would accept

1 Answer

8/31/2020

Solution :

HTTPS k8s API use cert and token for authentication.

First download k8s HTTPS API :

On master spark -> 

echo -n|openssl s_client -connect ip_master_k8s:port_https_api|openssl x509 -outform PEM > selfsigned_certificate.pem

On k8s master machine get spark token :

kubectl get secret

kubectl describe secret spark-token-XXX

Then on Spark master we submit a job with cert and token :

spark-submit --master k8s://https://ip_master_k8s:port_https_api  --deploy-mode cluster --name spark-pi --class org.apache.spark.examples.SparkPi --conf spark.executor.instances=3 --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark --conf spark.kubernetes.container.image=your_image --conf spark.kubernetes.authenticate.submission.caCertFile=selfsigned_certificate.pem --conf spark.kubernetes.authenticate.submission.oauthToken=spark-token-XXX hdfs://ip_master_hdfs/my_jar
-- sacha.p
Source: StackOverflow