Added documentation on RBAC and service account #14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
foxish
reviewed
Sep 21, 2017
src/jekyll/running-on-kubernetes.md
Outdated
|
|
||
| #### Driver | ||
|
|
||
| The Spark driver pod uses a Kubernetes service account to access the Kubernetes API server to create and watch executor pods. The service account used by the driver pod must have the appropriate permission for the driver to be able to do its work. Specifically, at minimum, the service account must have the [`edit`](https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles) [`Role` or `ClusterRole`](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) granted. By default, the driver pod is automatically assigned the `default` service account in the same namespace if no service account is specified when the pod gets created. Depending on the version and setup of Kubernetes deployed, this `default` service account may or may not have the `edit` role granted under the default Kubernetes [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) policies. Sometimes users may need to specify a custom service account that has the right role granted. Spark on Kubernetes supports specifying a custom service account to be used by the driver pod through the configuration property `spark.kubernetes.authenticate.driver.serviceAccountName=<service account name>`. For example to make the driver pod to use the `spark` service account, a user simply adds the following option to the `spark-submit` command: |
There was a problem hiding this comment.
Largely LGTM
" in the same namespace " -> in the namespace specified using --kubernetes.namespace.
Can you break this into multiple lines?
|
Thanks! |
kimoonkim
approved these changes
Sep 22, 2017
|
@foxish do you have any more comments? If not, I will merge. |
foxish
reviewed
Sep 22, 2017
src/jekyll/running-on-kubernetes.md
Outdated
|
|
||
| The Spark driver pod uses a Kubernetes service account to access the Kubernetes API server to create and watch executor pods. The service account used by the driver pod must have the appropriate permission for the driver to be able to do its work. | ||
|
|
||
| Specifically, at minimum, the service account must have the [`edit`](https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles) [`Role` or `ClusterRole`](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) granted. By default, the driver pod is automatically assigned the `default` service account in the namespace specified by `--kubernetes-namespace`, if no service account is specified when the pod gets created. |
There was a problem hiding this comment.
Must have "edit" on pods and services?
There was a problem hiding this comment.
Having the default "edit" role is a bit more than we need right?
There was a problem hiding this comment.
Made it more specific that a role that allows creating pods and secrets is needed.
src/jekyll/running-on-kubernetes.md
Outdated
| kubectl create clusterrolebinding spark-role --clusterrole=edit --serviceaccount=default:spark --namespace=default | ||
| ``` | ||
|
|
||
| Note that a `Role` can only be used to grant access to resources (like pods) within a single namespace, whereas a `ClusterRole` can be used to grant access to cluster-scoped resources (like nodes) as well as namespaced resources (like pods) across all namespaces. For Spark on Kubernetes, since the driver always creates executor pods in the same namespace, a `Role` is sufficient, although users may use a `ClusterRole` instead. For more information on RBAC authorization and how to configure Kubernetes service accounts for pods, please refer to [here](https://kubernetes.io/docs/admin/authorization/rbac/) and [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). |
There was a problem hiding this comment.
replace here with short description of link.
src/jekyll/running-on-kubernetes.md
Outdated
|
|
||
| #### Resource Staging Server | ||
|
|
||
| The Resource Staging Server (RSS) watches Spark driver pods to detect completed Spark applications so it knows when to safely delete resource bundles of the applications. When running as a pod in the same Kubernetes cluster as the Spark applications, by default (`spark.kubernetes.authenticate.resourceStagingServer.useServiceAccountCredentials` defaults to `true`), the RSS uses the default Kubernetes service account token located at `/var/run/secrets/kubernetes.io/serviceaccount/token` and the CA certificate located at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. |
There was a problem hiding this comment.
Would help to make it clearer that the location is within the pod, and is the default location that k8s uses. Unclear if it's the local machine being referred to here.
|
LGTM after comments |
foxish
reviewed
Sep 22, 2017
| @@ -290,6 +290,55 @@ the command may then look like the following: | |||
|
|
|||
| ## Advanced | |||
|
|
|||
| ### Configuring Kubernetes Roles and Service Accounts | |||
There was a problem hiding this comment.
We should specify that this applies to clusters with RBAC. Some clusters use custom authorizers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes apache-spark-on-k8s/spark#500.