I am using below manifest to run some k8s Job, However i am not able to submit job successfully due to below error.
apiVersion: batch/v1
kind: Job
metadata:
name: spark-on-eks
spec:
template:
spec:
imagePullSecrets:
- name: mycreds
containers:
- name: spark
image: repo:buildversion
command:
- "/bin/sh"
- "-c"
- '/opt/spark/bin/spark-submit \
--master k8s://EKSEndpoint \
--deploy-mode cluster \
--name spark-luluapp \
--class com.ll.jsonclass \
--conf spark.jars.ivy=/tmp/.ivy \
--conf spark.kubernetes.container.image=repo:buildversion \
--conf spark.kubernetes.namespace=spark-pi \
--conf spark.kubernetes.authenticate.driver.serviceAccountName=spark-sa \
--conf spark.hadoop.fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem \
--conf spark.kubernetes.authenticate.executor.serviceAccountName=spark-sa \
--conf spark.kubernetes.driver.pod.name=spark-job-driver \
--conf spark.executor.instances=4 \
local:///opt/spark/examples/App-buildversion-SNAPSHOT.jar \
[mks,env,reg,"dd.mm.yyyy","true","off","db-comp-results","true","XX","XXX","XXXXX","XXX",$,###] '
serviceAccountName: spark-pi
restartPolicy: Never
backoffLimit: 4
Error: Error: ImagePullBackOff Normal Pulling Pulling image "repo/buildversion" Warning Failed Failed to pull image "repo/buildversion": rpc error: code = Unknown desc = Error response from daemon: unauthorized: The client does not have permission for manifest
i checked the secrets which i have listed, is already created and in use with already deployed applications.
Is this issue is related to init containers which are being used as secret injection for pods/jobs, or something i am missing in my manifest, also, i am running above step as apart of Auotmation on one of the Jenkins Slave, and it works fine for other application-pods ( Not sure of k8s jobs )
Are you using port, docker path, or reverse proxy configuration in Artifactory?
Validate first on another machine you can pull the image.
i.e. (docker path)
docker login ${ARTIFACTORY_URL}
docker pull ${ARTIFACTORY_URL}/repo/image:tag
I believe you may be using a reverse proxy config given the naming convention:
"repo:buildversion"
In this scenario you need to do a docker login to the repo:
docker login repo
docker push repo:buildversion
What this means for k8s is you likely used the wrong docker-server URL and this is why authentication won't work even with a valid API key.
If you are using reverse proxy try this:
kubectl create secret docker-registry mycred \
--docker-server=repo \
--docker-username=<your-name> \
--docker-password=<your-api-key> \
--docker-email=<your-email>