-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLINK-20664][k8s] Support setting service account for TaskManager pod. #14447
Conversation
Thanks a lot for your contribution to the Apache Flink project. I'm the @flinkbot. I help the community Automated ChecksLast check on commit d07b609 (Mon Dec 21 14:49:33 UTC 2020) Warnings:
Mention the bot in a comment to re-run the automated checks. Review Progress
Please see the Pull Request Review Guide for a full explanation of the review process. The Bot is tracking the review progress through labels. Labels are applied according to the order of the review items. For consensus, approval by a Flink committer of PMC member is required Bot commandsThe @flinkbot bot supports the following commands:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@blublinsky Thanks for creating this PR. Generally, it looks good to me. I left some comments and let's check it before merging.
Moreover, I have verified this change in minikube with K8s HA configured. It works well.
...ernetes/src/main/java/org/apache/flink/kubernetes/configuration/KubernetesConfigOptions.java
Outdated
Show resolved
Hide resolved
...ernetes/src/main/java/org/apache/flink/kubernetes/configuration/KubernetesConfigOptions.java
Show resolved
Hide resolved
...est/java/org/apache/flink/kubernetes/kubeclient/decorators/InitTaskManagerDecoratorTest.java
Outdated
Show resolved
Hide resolved
@@ -60,6 +60,13 @@ | |||
.withDescription("Service account that is used by jobmanager within kubernetes cluster. " + | |||
"The job manager uses this service account when requesting taskmanager pods from the API server."); | |||
|
|||
public static final ConfigOption<String> TASK_MANAGER_SERVICE_ACCOUNT = | |||
key("kubernetes.taskmanager.service-account") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we also need to update the native-kubernetes.md#RBAC
section. At least, we need to tell users they could set the service account for TaskManager via kubernetes.taskmanager.service-account
. And it is necessary only Kubernetes HA mode,.
The commit message also needs to be refined. I think it could be |
@tillrohrmann is suggesting to introduce a common config option |
Fixed requested. Not sure about Till's request |
@blublinsky I think what till means is to introduce a common config option for service account. It could be Then the
Moreover, we need a test for such fallback logics. |
Even with this approach the sequence for job manager and task manager should be different. otherwise, if a job manager account is defined it will always take precedence for both |
@blublinsky Why the sequence for job manager and task manager should be different? In my opinion, the specific config option for jobmanager/taskmanager should always have the precedence. |
If I want to define tm and jm accounts differently, then sequence definitely matters. |
@blublinsky There are three options in total:
JM uses the account defined by In this way, a user can choose to either define a common account for JM/TM via |
You may take a look at how the following config options work as an example.
|
Oh, thats not what the code snipet reads. Thats fine |
Introduced a common config option for service account and added unit tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @blublinsky for preparing and updating the PR, and thank @wangyang0918 for the review.
Then changes LGTM. I have only a few minor comments, which I'll address myself during merging.
.stringType() | ||
.defaultValue("default") | ||
.withDescription("Service account that is used by jobmanager and taskmanger within kubernetes cluster. " + | ||
"if specific JOB_MANAGER_SERVICE_ACCOUNT and/or TASK_MANAGER_SERVICE_ACCOUNT are not defined."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be more user friendly to mention the configuration keys rather than the java field names.
And I believe we should also mention in descriptions of JOB_MANAGER_SERVICE_ACCOUNT
and TASK_MANAGER_SERVICE_ACCOUNT
that they will by default fallback to KUBERNETES_SERVICE_ACCOUNT
.
import static org.junit.Assert.assertThat; | ||
|
||
/** | ||
* General tests for the {@link InitJobManagerDecorator}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inconsistent JavaDoc.
import static org.junit.Assert.assertEquals; | ||
|
||
/** | ||
* General tests for the {@link InitJobManagerDecorator}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inconsistent JavaDoc.
private static final String JOB_MANGER_SERVICE_ACCOUNT_NAME = "jm-service-test"; | ||
|
||
private Pod resultPod; | ||
private Container resultMainContainer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused
private static final String TASK_MANAGER_SERVICE_ACCOUNT_NAME = "tm-service-test"; | ||
|
||
private Pod resultPod; | ||
private Container resultMainContainer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused
|
||
@Test | ||
public void testPodServiceAccountName() { | ||
assertThat(TASK_MANAGER_SERVICE_ACCOUNT_NAME, is(this.resultPod.getSpec().getServiceAccountName())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assertThat(TASK_MANAGER_SERVICE_ACCOUNT_NAME, is(this.resultPod.getSpec().getServiceAccountName())); | |
assertThat(this.resultPod.getSpec().getServiceAccountName(), is(TASK_MANAGER_SERVICE_ACCOUNT_NAME)); |
The util method is defined as follows. Out-of-ordered arguments could lead to improper error messages.
public static <T> void assertThat(T actual, Matcher<? super T> matcher)
|
||
@Test | ||
public void testPodServiceAccountName() { | ||
assertEquals(JOB_MANGER_SERVICE_ACCOUNT_NAME, this.resultPod.getSpec().getServiceAccountName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assertThat(actual, is(expected))
is preferred.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
key("kubernetes.service-account") | ||
.stringType() | ||
.defaultValue("default") | ||
.withDescription("Service account that is used by jobmanager and taskmanger within kubernetes cluster. " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo taskmanger
-> taskmanager
.defaultValue("default") | ||
.withDescription("Service account that is used by jobmanager and taskmanger within kubernetes cluster. " + | ||
"Notice that this can be overwritten by config options '" + JOB_MANAGER_SERVICE_ACCOUNT.key() + | ||
"' and '" + TASK_MANAGER_SERVICE_ACCOUNT.key() + "' for jobmanager and taskmanager respectively."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"' and '" + TASK_MANAGER_SERVICE_ACCOUNT.key() + "' for jobmanager and taskmanager respectively."); | |
"' and '" + TASK_MANAGER_SERVICE_ACCOUNT.key() + "' for jobmanager and taskmanager respectively."); |
A useless space here.
@@ -187,6 +189,11 @@ public void testPodAnnotations() { | |||
assertThat(resultAnnotations, is(equalTo(ANNOTATIONS))); | |||
} | |||
|
|||
@Test | |||
public void testPodServiceAccountName() { | |||
assertThat(SERVICE_ACCOUNT_NAME, is(this.resultPod.getSpec().getServiceAccountName())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assertThat(SERVICE_ACCOUNT_NAME, is(this.resultPod.getSpec().getServiceAccountName())); | |
assertThat(this.resultPod.getSpec().getServiceAccountName(), is(SERVICE_ACCOUNT_NAME)); |
Thanks guys, can we do the same with other PRs? |
@blublinsky |
@blublinsky For FLINK-20359, I will have a look in this week. And the other two tickets, let's do the pod template first. |
I'm sure we can continue with the discussions and code reviews for these issues, in the corresponding JIRA tickets and pull requests. I also noticed that, for the three PRs, non of the corresponding JIRA tickets are assigned. I'd like to kindly remind that, the Apache Flink community suggests to reaching consensus on the approach and getting assigned to the ticket by a committer before start working on the implementation. Please take a close look at How to Contribute Code. |
What is the purpose of the change
Currently, we only set the service account for JobManager. The TaskManager is using the default service account. Before the KubernetesHAService is introduced, it works because the TaskManager does not need to access the K8s resource(e.g. ConfigMap) directly. But now the TaskManager needs to watch ConfigMap and retrieve leader address. So if the default service account does not have enough permission, users could not specify a valid service account for TaskManager.
Brief change log
Verifying this change
This change added tests and can be verified by running unit tests
Does this pull request potentially affect one of the following parts:
@Public(Evolving)
: (yes / no) noDocumentation