[
https://issues.apache.org/jira/browse/SPARK-42411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Puneet updated SPARK-42411:
---------------------------
Summary: Better support for Spark on Kubernetes while using Istio service
mesh (was: Add support for istio in strict MTLS PeerAuthentication)
> Better support for Spark on Kubernetes while using Istio service mesh
> ---------------------------------------------------------------------
>
> Key: SPARK-42411
> URL: https://issues.apache.org/jira/browse/SPARK-42411
> Project: Spark
> Issue Type: New Feature
> Components: Kubernetes
> Affects Versions: 3.2.3
> Reporter: Puneet
> Priority: Major
>
> h3. Support for Strict MTLS
> In strict MTLS Peer Authentication Istio requires each pod to be associated
> with a service identity (as this allows listeners to use the correct cert and
> chain). Without the service identity communication goes through passthrough
> cluster which is not permitted in strict mode. Community is still
> investigating communication through IPs with strict MTLS
> https://github.com/istio/istio/issues/37431#issuecomment-1412831780. Today
> Spark backend creates a service record for driver however executor pods
> register with pod ip with driver. In this model therefore, TLS handshake
> would fail between driver and executor and also between executors. As part of
> this jira we want to similarly add service records for the executor pods as
> well. This can be achieved by adding a ExecutorServiceFeatureStep similar to
> existing DriverServiceFeatureStep
> h3. Allowing binding to all IPs
> Before Istio 1.10 the istio-proxy sidecar was forwarding outside traffic to
> localhost of the pod. Thus is the application container is binding only to
> Pod IP the traffic would not be forwarded to it. This was addressed in 1.10
> https://istio.io/latest/blog/2021/upcoming-networking-changes. However the
> old behavior is still accessible through disabling the feature flag
> PILOT_ENABLE_INBOUND_PASSTHROUGH. Request to remove it has had some push back
> https://github.com/istio/istio/issues/37642. In current implementation Spark
> K8s backend does not allow to pass bind address for driver
> https://github.com/apache/spark/blob/master/resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/features/DriverServiceFeatureStep.scala#L35
> however as part of this jira we want to allow passing of bind address even
> in Kubernetes mode so long as the bind address is 0.0.0.0. This lets user
> choose the behavior dependening on state of PILOT_ENABLE_INBOUND_PASSTHROUGH
> in her Istio cluster.
> h3. Better support for istio-proxy sidecar lifecycle management
> In istio-enabled cluster istio-proxy sidecars would be auto-injected to
> driver/executor pods. If the application is ephemeral then driver and
> executor containers would exit, however istio-proxy container would continue
> to run. This causes driver/executor pods to enter NotReady state. As part of
> this jira we want ability to run a post stop cleanup after driver/executor
> container is completed. Similarly we also want to add support for a pre start
> up script, which can ensure for example that istio-sidecar is up before
> executor/driver container gets started.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
