New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-33720][K8S] Support submit to k8s only with token #30684
Conversation
ok to test |
val KUBERNETES_TRUST_CERTIFICATES = | ||
ConfigBuilder("spark.kubernetes.trust.certificates") | ||
.doc("If set to true then client can submit to kubernetes cluster only with token") | ||
.version("3.0.2") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @hddong .
This should be 3.2.0
because this is a new feature and master
branch's version is 3.2.0-SNAPSHOT
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to https://github.com/apache/spark/pull/30684/files#r539500957, could you describe the environment where this PR is helpful? How can we verify this PR? Without testing or verification, this PR is not mergeable. Please write the reproducible procedure in the PR description instead of saying no need
, please.
How was this patch tested?
no need
Test build #132501 has finished for PR 30684 at commit
|
Kubernetes integration test starting |
Kubernetes integration test status success |
@dongjoon-hyun : thansk for your review, had address them. |
Test build #132767 has finished for PR 30684 at commit
|
Kubernetes integration test starting |
Kubernetes integration test status success |
resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/Config.scala
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hddong Why don't we use insecure-skip-tls-verify
in .kubeconfig
?
Can one of the admins verify this patch? |
@dongjoon-hyun : sorry for feedback so long time later, |
I'm wondering when
|
@dongjoon-hyun : We can submit directly with token when client has no k8s client( |
I have a project that would greatly benefit from this patch as well. The ability to use |
@dongjoon-hyun: how do you think about this PR. |
Sorry for the delay, @hddong . I'll review right now again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, LGTM. I verified this manually.
Merged to master for Apache Spark 3.2.0.
cc @attilapiros , too. |
### What changes were proposed in this pull request? Support submit to k8s only with token. ### Why are the changes needed? Now, sumbit to k8s always need oauth files. ### Does this PR introduce _any_ user-facing change? ### How was this patch tested? Before, submit job out of k8s cluster without correct ca.crt, we may get this exception: ``` Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) ``` When set spark.kubernetes.trust.certificates = true, we can submit only with correct token, no need to config ca.crt in local env. Submit as: ``` bin/spark-submit \ --master $master \ --name pi \ --deploy-mode cluster \ --conf spark.kubernetes.container.image=$image \ --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark \ --conf spark.kubernetes.authenticate.submission.oauthToken=$clusterToken \ --conf spark.kubernetes.trust.certificates=true \ local:///opt/spark/examples/src/main/python/pi.py 200 ``` Closes apache#30684 from hddong/trust-certs. Authored-by: hongdongdong <hongdongdong@cmss.chinamobile.com> Signed-off-by: Dongjoon Hyun <dhyun@apple.com> (cherry picked from commit 985c653) Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
What changes were proposed in this pull request?
Support submit to k8s only with token.
Why are the changes needed?
Now, sumbit to k8s always need oauth files.
Does this PR introduce any user-facing change?
How was this patch tested?
Before, submit job out of k8s cluster without correct ca.crt, we may get this exception:
When set spark.kubernetes.trust.certificates = true, we can submit only with correct token, no need to config ca.crt in local env.
Submit as: