[jira] [Commented] (SPARK-33720) Support submit to k8s only with token

Andre Piwoni (Jira) Wed, 11 Dec 2024 09:42:05 -0800


    [ 
https://issues.apache.org/jira/browse/SPARK-33720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904882#comment-17904882
 ]


Andre Piwoni commented on SPARK-33720:
--------------------------------------

This resolved one issue and created another one because it breaks usage of 
`insecure-skip-tls-verify` via KUBECONFIG file when using cluster context with 
auto configure.

Code below basically overwrites `insecure-skip-tls-verify` from KUBECONFIG set 
by autoconfigure when KUBERNETES_TRUST_CERTIFICATES is missing because it 
defaults to false. With this bug it is impossible to drive hostname 
verification via KUBECONFIG when multiple clusters are present with different 
requirements.

```
val KUBERNETES_TRUST_CERTIFICATES =
    ConfigBuilder("spark.kubernetes.trust.certificates")
      .createWithDefault(false)
val config = new ConfigBuilder(autoConfigure(kubeContext.orNull))
      .withTrustCerts(sparkConf.get(KUBERNETES_TRUST_CERTIFICATES))

// kubernetes-client Config.autoConfigure
config.setTrustCerts(currentCluster.getInsecureSkipTlsVerify() != null && 
currentCluster.getInsecureSkipTlsVerify());
config.setDisableHostnameVerification(currentCluster.getInsecureSkipTlsVerify() 
!= null && currentCluster.getInsecureSkipTlsVerify())
```
Correct implementation should do the following:
1. If KUBERNETES_TRUST_CERTIFICATES is not set AND Config from autoconfigure 
isTrustCerts=true then no hostname verification
2.  If KUBERNETES_TRUST_CERTIFICATES is not set AND Config from autoconfigure 
isTrustCerts=false then do hostname verfication
3. If KUBERNETES_TRUST_CERTIFICATES is set use this as an override

> Support submit to k8s only with token
> -------------------------------------
>
>                 Key: SPARK-33720
>                 URL: https://issues.apache.org/jira/browse/SPARK-33720
>             Project: Spark
>          Issue Type: Improvement
>          Components: Kubernetes
>    Affects Versions: 3.2.0
>            Reporter: hong dongdong
>            Assignee: hong dongdong
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.2.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (SPARK-33720) Support submit to k8s only with token

Reply via email to