[KYUUBI #3902][DOC] Add ServiceAccount related content in kyuubi depl…

…oy on kubernetes ### _Why are the changes needed?_ Add `Kyuubi Deploy On Kubernetes ServiceAccount-related` documentation, and explicitly assert serviceAccountName: default as the default configuration in the template file `${KYUUBI_HOME}/docker/kyuubi-pod(deployment).yaml` to make it easier for users to set. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3906 from zwangsheng/doc/kyuubi_on_k8s_service_account. Closes #3902 e0ed06d [Cheng Pan] Update docs/deployment/kyuubi_on_kubernetes.md 6cd29dd [zwangsheng] build doc for serviceAccount Lead-authored-by: zwangsheng <2213335496@qq.com> Co-authored-by: Cheng Pan <pan3793@gmail.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
apache · Dec 12, 2022 · 3bb594a · 3bb594a
1 parent 886682f
commit 3bb594a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/docker/kyuubi-deployment.yaml b/docker/kyuubi-deployment.yaml
@@ -48,6 +48,7 @@ spec:
       labels:
         app: kyuubi-server
     spec:
+      serviceAccountName: default
       containers:
         - name: kyuubi-server
           # TODO: replace this with the stable tag

diff --git a/docker/kyuubi-pod.yaml b/docker/kyuubi-pod.yaml
@@ -48,6 +48,7 @@ metadata:
   labels:
     app: kyuubi-server
 spec:
+  serviceAccountName: default
   containers:
     - name: kyuubi-server
       # TODO: replace this with the stable tag

diff --git a/docs/deployment/kyuubi_on_kubernetes.md b/docs/deployment/kyuubi_on_kubernetes.md
@@ -72,6 +72,22 @@ You can deploy single-node Kyuubi through `${KYUUBI_HOME}/docker/kyuubi-pod.yaml
 
 Also, you can use `${KYUUBI_HOME}/docker/kyuubi-service.yaml` to deploy Kyuubi Service.
 
+### [Optional] ServiceAccount
+
+According to [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), we need to give kyuubi server the corresponding kubernetes privileges for `created/list/delete` engine pods in kubernetes.
+
+You should create your serviceAccount ( or reuse account with the appropriate privileges ) and set your serviceAccountName for kyuubi pod, which you can find template in `${KYUUBI_HOME}/docker/kyuubi-deployment.yaml` or `${KYUUBI_HOME}/docker/kyuubi-pod.yaml`.
+
+For example, you can create serviceAccount by following command:
+
+```shell
+kubectl create serviceAccount kyuubi -n <your namespace>
+
+kubectl create rolebinding kyuubi-role --role=edit --serviceAccount=<your namespace>:kyuubi --namespace=<your namespace>
+```
+
+See more related details in [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) and [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/).
+
 ## Config
 
 You can configure Kyuubi the old-fashioned way by placing kyuubi-default.conf inside the image. Kyuubi do not recommend using this way on Kubernetes.