teraslice icon indicating copy to clipboard operation
teraslice copied to clipboard
verified publisher icon terascope

Kubernetes Authentication Options

Open godber opened this issue 7 years ago • 2 comments

We should fully explore our options for properly configuring the teraslice k8s management user. The Spark on kubernetes documentation does a good job of explaining our options:

https://spark.apache.org/docs/2.3.0/running-on-kubernetes.html#kubernetes-features

The most straight forward option would be to place the teraslice cluster into a dedicated namespace and grant the default ServiceAccount the cluster-admin role in that namespace.

Another option, we can create a specific ServiceAccount in the specified namespace and ensure that the proper roles get created and bound to that account.

godber avatar Jul 11 '18 21:07 godber

Or as described in the Spark documentation, we should allow the use of the default namespace if an explicit namespace is not provided. And use the default ServiceAccount in the effective namespace if an explicit ServiceAccount is not specified. Of course this makes communicating the proper RBAC configuration for k8s harder, but it's the right thing for the code to do.

godber avatar Jul 11 '18 21:07 godber

Note that at this point, we've added support for namespaces, and the current expectation is that the default serviceaccount for that namespace has all permissions in that namespace.

godber avatar Aug 21 '18 20:08 godber