Closed foxish closed 7 years ago
@foxish @kimoonkim Regarding RBAC roles for the RSS and shuffle service, is there any customization needed or they are well taken care of by the default role/service account used by the pods of them? AFAIK, none of them need write access the API server. Correct me if I'm wrong.
One thing that jumps out to me. The shuffle service relies on HostPath
volumes, which is not necessarily available to all pods. There is PodSecurityPolicy
that can be used together with RBAC to allow the access. For details, see this doc. So I think we should address PSP RBAC rules. I'll be happy to dig more in this, as it also applies to kubernetes-HDFS
.
@kimoonkim I also found this doc, which also seems related.
Ah. That doc seems very relevant. Thanks for sharing it!
Probably not the scope of this issue. But I was wondering if we should also think about human accounts and the role bindings they need to run Spark jobs and these other services.
I am personally using the cluster admin account for myself, but not every user will have access to that in a large org.
I agree that we should think about non-admin user account, which is likely much more common in production environment in large clusters.
We need RBAC roles associated with each component - shuffle service, RSS. Also, need instructions to setup service accounts for driver and executor pods.