Stavros Kontopoulos created SPARK-27872:
-------------------------------------------
Summary: Driver and executors use a different service acount
Key: SPARK-27872
URL: https://issues.apache.org/jira/browse/SPARK-27872
Project: Spark
Issue Type: Bug
Components: Kubernetes
Affects Versions: 2.4.3, 3.0.0
Reporter: Stavros Kontopoulos
Driver and executors use different service accounts in case the driver has one
other than the default:
[https://gist.github.com/skonto/9beb5afa2ec4659ba563cbb0a8b9c4dd]
This makes the pod fail when the user links a service account with a secret:
[https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account]
as executors will not use the driver's service account and will not be able to
get the secret in order to pull the related image.
I am not sure what is the assumption here for using the default account for
executors, probably that this account is limited (executors dont create
resources)? This is an inconsistency that could be fixed with the pod template
feature in Spark 3.0.0 but it breaks pull secrets.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
