From 6b7f495b899388a61bcd636320f72ea3e522c0a7 Mon Sep 17 00:00:00 2001 From: Lennon Chin Date: Thu, 14 Mar 2024 23:04:34 -0700 Subject: [PATCH] [KYUUBI #6183] [K8S] KyuubiConf.getKubernetesConf should set namespace even if the Kubernetes context is empty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # :mag: Description ## Issue References ๐Ÿ”— When submit Spark engine to Kubernetes environment, `org.apache.kyuubi.engine.KubernetesApplicationOperation#getApplicationInfoByTag` will use Kubernetes client to get driver pod info, if we do not set `spark.kubernetes.context`configuration in Spark environment, `org.apache.kyuubi.config.KyuubiConf#getKubernetesConf` will construct a client with **default** namespace, this will cause privilege problem if Kyuubi running with a partial rolebinding service account: ```log 2024-03-13 18:13:47.409 ERROR KyuubiSessionManager-exec-pool: Thread-56 org.apache.kyuubi.engine.KubernetesApplicationOperation: Failed to get application by label: kyuubi-unique-tag=b61924ef-a93e-46a3-94be-0de70be5fb5e, due to Failure executing: GET at: https://******:6443/api/v1/namespaces/default/pods?labelSelector=kyuubi-unique-tag&resourceVersion=0. Message: pods is forbidden: User "system:serviceaccount:kyuubi:kyuubi" cannot list resource "pods" in API group "" in the namespace "default". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=pods, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=pods is forbidden: User "system:serviceaccount:kyuubi:kyuubi" cannot list resource "pods" in API group "" in the namespace "default", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}). ``` This will appear as engine startup failure, but in fact the engine is started successfully. ## Describe Your Solution ๐Ÿ”ง `KyuubiConf.getKubernetesConf` method should set namespace even if the Kubernetes context is empty, please see the commit. ## Types of changes :bookmark: - [x] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan ๐Ÿงช #### Behavior Without This Pull Request :coffin: #### Behavior With This Pull Request :tada: #### Related Unit Tests --- # Checklist ๐Ÿ“ - [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6183 from LennonChin/kubernetes-conf-patch. Closes #6183 69e653011 [Lennon Chin] KubernetesConf should set namespace even if the kubernetes context is empty Authored-by: Lennon Chin Signed-off-by: Wang, Fei (cherry picked from commit b537e8a252de995ab0e81b4e47a4db3b954ef042) Signed-off-by: Wang, Fei --- .../src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala index a34f3763f0b..534fff6e62f 100644 --- a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala +++ b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala @@ -153,9 +153,9 @@ case class KyuubiConf(loadSysDefault: Boolean = true) extends Logging { conf.set(key, value) } conf.set(KUBERNETES_CONTEXT, c) - namespace.foreach(ns => conf.set(KUBERNETES_NAMESPACE, ns)) conf } + namespace.foreach(ns => conf.set(KUBERNETES_NAMESPACE, ns)) conf }