[ https://issues.apache.org/jira/browse/SPARK-26295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024838#comment-17024838 ]
Mathew Wicks commented on SPARK-26295: -------------------------------------- I am still encountering this issue on 2.4.4, (and given SPARK-28360, this issue likely also occurs in Spark 3.0's current preview, but I haven't verified this). Can anyone take a look at this [~dongjoon]? The issue is effectively that `spark.kubernetes.authenticate.driver.serviceAccountName` and `spark.kubernetes.authenticate.serviceAccountName` are ignored in client mode with K8S master. No matter what you specify, the default service account for `spark.kubernetes.namespace` namespace is used > [K8S] serviceAccountName is not set in client mode > -------------------------------------------------- > > Key: SPARK-26295 > URL: https://issues.apache.org/jira/browse/SPARK-26295 > Project: Spark > Issue Type: Bug > Components: Kubernetes > Affects Versions: 2.4.0 > Reporter: Adrian Tanase > Priority: Major > > When deploying spark apps in client mode (in my case from inside the driver > pod), one can't specify the service account in accordance to the docs > ([https://spark.apache.org/docs/latest/running-on-kubernetes.html#rbac).] > The property {{spark.kubernetes.authenticate.driver.serviceAccountName}} is > most likely added in cluster mode only, which would be consistent with > {{spark.kubernetes.authenticate.driver}} being the cluster mode prefix. > We should either inject the service account specified by this property in the > client mode pods, or specify an equivalent config: > {{spark.kubernetes.authenticate.serviceAccountName}} > This is the exception: > {noformat} > Message: Forbidden!Configured service account doesn't have access. Service > account may have been revoked. pods "..." is forbidden: User > "system:serviceaccount:mynamespace:default" cannot get pods in the namespace > "mynamespace"{noformat} > The expectation was to see the user {{mynamespace:spark}} based on my submit > command. > My current workaround is to create a clusterrolebinding with edit rights for > the mynamespace:default account. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org