[SPARK-33720][K8S] Support submit to k8s only with token #30684
Conversation
dongjoon-hyun
changed the title
|
ok to test |
| val KUBERNETES_TRUST_CERTIFICATES = | ||
| ConfigBuilder("spark.kubernetes.trust.certificates") | ||
| .doc("If set to true then client can submit to kubernetes cluster only with token") | ||
| .version("3.0.2") |
There was a problem hiding this comment.
Hi, @hddong .
This should be 3.2.0 because this is a new feature and master branch's version is 3.2.0-SNAPSHOT.
There was a problem hiding this comment.
In addition to https://github.com/apache/spark/pull/30684/files#r539500957, could you describe the environment where this PR is helpful? How can we verify this PR? Without testing or verification, this PR is not mergeable. Please write the reproducible procedure in the PR description instead of saying no need, please.
How was this patch tested?
no need
|
Test build #132501 has finished for PR 30684 at commit
|
|
Kubernetes integration test starting |
|
Kubernetes integration test status success |
|
@dongjoon-hyun : thansk for your review, had address them. |
|
Test build #132767 has finished for PR 30684 at commit
|
|
Kubernetes integration test starting |
|
Kubernetes integration test status success |
resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/Config.scala
Show resolved
Hide resolved
There was a problem hiding this comment.
@hddong Why don't we use insecure-skip-tls-verify in .kubeconfig?
|
Can one of the admins verify this patch? |
|
@dongjoon-hyun : sorry for feedback so long time later, |
|
I'm wondering when
|
|
@dongjoon-hyun : We can submit directly with token when client has no k8s client( |
|
I have a project that would greatly benefit from this patch as well. The ability to use |
|
@dongjoon-hyun: how do you think about this PR. |
|
Sorry for the delay, @hddong . I'll review right now again. |
|
cc @attilapiros , too. |
### What changes were proposed in this pull request?
Support submit to k8s only with token.
### Why are the changes needed?
Now, sumbit to k8s always need oauth files.
### Does this PR introduce _any_ user-facing change?
### How was this patch tested?
Before, submit job out of k8s cluster without correct ca.crt, we may get this exception:
```
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
```
When set spark.kubernetes.trust.certificates = true, we can submit only with correct token, no need to config ca.crt in local env.
Submit as:
```
bin/spark-submit \
--master $master \
--name pi \
--deploy-mode cluster \
--conf spark.kubernetes.container.image=$image \
--conf spark.kubernetes.authenticate.driver.serviceAccountName=spark \
--conf spark.kubernetes.authenticate.submission.oauthToken=$clusterToken \
--conf spark.kubernetes.trust.certificates=true \
local:///opt/spark/examples/src/main/python/pi.py 200
```
Closes apache#30684 from hddong/trust-certs.
Authored-by: hongdongdong <hongdongdong@cmss.chinamobile.com>
Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
(cherry picked from commit 985c653)
Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
What changes were proposed in this pull request?
Support submit to k8s only with token.
Why are the changes needed?
Now, sumbit to k8s always need oauth files.
Does this PR introduce any user-facing change?
How was this patch tested?
Before, submit job out of k8s cluster without correct ca.crt, we may get this exception:
When set spark.kubernetes.trust.certificates = true, we can submit only with correct token, no need to config ca.crt in local env.
Submit as: