Madhukar525722 opened a new issue, #6784: URL: https://github.com/apache/kyuubi/issues/6784
### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) ### Search before asking - [X] I have searched in the [issues](https://github.com/apache/kyuubi/issues?q=is%3Aissue) and found no similar issues. ### What would you like to be improved? Spark submit Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://<k8s_cluster_endpoint>/api/v1/namespaces/genai/pods. Message: Forbidden! User doesn't have permission. pods is forbidden: User "madlnu" cannot create resource "pods" in API group "" in the namespace "genai". Kyuubi engine launch in share level USER Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://<k8s_cluster_endpoint>/api/v1/namespaces/genai/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:scaas:spark" cannot create resource "pods" in API group "" in the namespace "genai". **When an USER engine is launched in k8s cluster, it is taking the user with which kyuubi server is running rather than actual users.** Configurations: kyuubi.authentication=KERBEROS kyuubi.spnego.keytab=spnego.keytab kyuubi.spnego.principal=spn...@domain.com kyuubi.kinit.principal=h...@domain.com kyuubi.kinit.keytab=hive.keytab spark.kubernetes.namespace=genai kyuubi.kubernetes.master.address=k8s://https://<k8s_cluster_endpoint> spark.master=k8s://https://<k8s_cluster_endpoint> kyuubi.kubernetes.namespace=scaas spark.submit.deployMode=cluster spark.kubernetes.authenticate.serviceAccountName=spark spark.kubernetes.authenticate.driver.serviceAccountName=spark ### How should we improve? Expectation is user authentication should happen, while launching the engine pods. ### Are you willing to submit PR? - [X] Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve. - [ ] No. I cannot submit a PR at this time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org For additional commands, e-mail: notifications-h...@kyuubi.apache.org
