[
https://issues.apache.org/jira/browse/SPARK-27872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17200439#comment-17200439
]
Apache Spark commented on SPARK-27872:
--------------------------------------
User 'nssalian' has created a pull request for this issue:
https://github.com/apache/spark/pull/29844
> Driver and executors use a different service account breaking pull secrets
> --------------------------------------------------------------------------
>
> Key: SPARK-27872
> URL: https://issues.apache.org/jira/browse/SPARK-27872
> Project: Spark
> Issue Type: Bug
> Components: Kubernetes, Spark Core
> Affects Versions: 2.4.3, 3.0.0
> Reporter: Stavros Kontopoulos
> Assignee: Stavros Kontopoulos
> Priority: Major
> Fix For: 3.0.0
>
>
> Driver and executors use different service accounts in case the driver has
> one set up which is different than default:
> [https://gist.github.com/skonto/9beb5afa2ec4659ba563cbb0a8b9c4dd]
> This makes the executor pods fail when the user links the driver service
> account with a pull secret:
> [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account].
> Executors will not use the driver's service account and will not be able to
> get the secret in order to pull the related image.
> I am not sure what is the assumption here for using the default account for
> executors, probably because of the fact that this account is limited (btw
> executors dont create resources)? This is an inconsistency that could be
> worked around with the pod template feature in Spark 3.0.0 but it breaks pull
> secrets and in general I think its a bug to have it.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
