skonto edited a comment on issue #24748: [SPARK-27872][K8s] Fix executor service account inconsistency URL: https://github.com/apache/spark/pull/24748#issuecomment-498066570 @felixcheung that is true yet the driver needs to create certain resources so it needs some privileges. So DoS is possible here by design before this PR and as you said it is not secure in that sense. On the other hand, afaik this is the case with other resource managers eg. mesos where you could potentially register an arbitrary framework and start accepting offers with the same privileges. Only quotas can restrict the misuse here so if there are no quotas user can do by definition whatever the account allows to. So it does not seem a strictly speaking security issue to me. The malicious code is capable to do what the app is supposed to do not more, it cannot for example escalate privileges or anything, unless you run with an admin account. Malicious code though will be able to bypass spark configuration and launch for example more than the allowed number of pods.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
