Github user rvesse commented on a diff in the pull request:
https://github.com/apache/spark/pull/21669#discussion_r215692843
--- Diff: docs/security.md ---
@@ -722,6 +722,62 @@ with encryption, at least.
The Kerberos login will be periodically renewed using the provided
credentials, and new delegation
tokens for supported will be created.
+## Secure Interaction with Kubernetes
+
+When talking to Hadoop-based services behind Kerberos, it was noted that
Spark needs to obtain delegation tokens
+so that non-local processes can authenticate. These delegation tokens in
Kubernetes are stored in Secrets that are
+shared by the Driver and its Executors. As such, there are three ways of
submitting a kerberos job:
+
--- End diff --
Might be worth making it explicit here that for any of the following
examples to work `HADOOP_CONF_DIR` must be defined in the submission
environment otherwise the K8S backend skips all the HDFS steps including
Kerberos setup
Also shouldn't the Running on Kubernetes docs also be updated to mention
this feature, even if only to link users across to this doc?
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
