Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spark on Kubernetes job fails if service account doesn't have permission to all namespaces. #461

Open
ashokkumarrathore opened this issue Nov 15, 2024 · 5 comments
Open

Spark on Kubernetes job fails if service account doesn't have permission to all namespaces. #461

ashokkumarrathore opened this issue Nov 15, 2024 · 5 comments

Comments

@ashokkumarrathore
Copy link

ashokkumarrathore commented Nov 15, 2024
edited
Loading

In a multi tenant Kubernetes cluster, it will not always be the case that livy service account has access to all namespaces. Since Livy currently looks for job in all namespaces, it fails if the permission is not there for some namespace in cluster.

Ideally we should only look for job in the namespace it was submitted to. Relevant code is here, i think :

incubator-livy/server/src/main/scala/org/apache/livy/utils/SparkKubernetesApp.scala

Line 446 in 1f6bd7a

withRetry(kubernetesClient.getApplications().find(_.getApplicationTag.contains(appTag)))

Also this,

incubator-livy/server/src/main/scala/org/apache/livy/utils/SparkKubernetesApp.scala

Line 689 in 1f6bd7a

client.pods.inAnyNamespace

@ashokkumarrathore
Copy link
Author

@askhatri @jahstreet fyi

@askhatri askhatri mentioned this issue Nov 15, 2024
Open
@askhatri
Copy link
Contributor

Thank you @ashokkumarrathore for the findings. @jahstreet, please review and share your insights.

@ashokkumarrathore
Copy link
Author

The potential fix is to provide a namespace argument and use that in GetApplications() from Kubernetes. So, rather than looking for app in any namespace here, it should be namespaced.

The namespace need to be passed from here:

incubator-livy/server/src/main/scala/org/apache/livy/server/batch/BatchSession.scala

Line 109 in 1f6bd7a

SparkApp.create(appTag, None, Option(sparkSubmit), livyConf, Option(s))

There are couple of options on how we do this:

  1. Add a namespace argument to SparkApp.create() call. This changes the create() function definition which is generic for both YarnApp and KubernetesApp.
  2. To avoid modifying create() call, we can put namespace as part of LivyConf and pass a copy of this rather than actual ref. This will have minimal changes but technically namespace should not be part of LivyConf.

@jahstreet @askhatri Please let me know your thoughts and i can implement it accordingly.

@askhatri
Copy link
Contributor

Hi @ashokkumarrathore,
Thank you for your efforts. I agree with the suggested fix.
CC: @jahstreet , @gyogal

@ashokkumarrathore
Copy link
Author

ashokkumarrathore commented Jan 1, 2025
edited
Loading

@askhatri @jahstreet Changes for namespace support in Livy for Spark on k8s. #462
Can you guys please take a look?
Also, currently no builds are running for this, can you please approve the workflow to run build/test?

@ashokkumarrathore ashokkumarrathore mentioned this issue Jan 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashokkumarrathore @askhatri