Implementation:Apache Spark Kubectl Auth Check
| Metadata | Value |
|---|---|
| Source | Doc: Running on K8s |
| Domains | Kubernetes |
| Type | External Tool Doc |
| Related | Principle:Apache_Spark_K8s_Prerequisites_Verification |
Overview
External tool documentation for verifying Kubernetes RBAC permissions required by Spark using kubectl.
Description
The kubectl auth can-i command verifies that the current service account has the necessary RBAC permissions for Spark on Kubernetes. Required permissions include create, list, edit, and delete on pods, services, and configmaps. The spark-rbac.yaml reference file provides a complete RBAC configuration that can be applied to set up these permissions.
The verification process uses kubectl auth can-i <verb> <resource> to query the Kubernetes API server for each required permission. Each invocation returns either yes or no, enabling scripted validation of the entire permission set.
Usage
Run before submitting Spark applications to Kubernetes to verify that the active context and service account have all required permissions.
Code Reference
| Item | Reference |
|---|---|
| Source documentation | docs/running-on-kubernetes.md (L45-61)
|
| RBAC configuration | resource-managers/kubernetes/integration-tests/dev/spark-rbac.yaml (L1-53)
|
| Command | kubectl auth can-i <verb> <resource>
|
Inputs and Outputs
| Direction | Description |
|---|---|
| Inputs | kubectl context (configured), Kubernetes cluster accessible
|
| Outputs | yes or no per permission check
|
Examples
Check individual permissions
# Check pod permissions
kubectl auth can-i create pods
kubectl auth can-i list pods
kubectl auth can-i delete pods
# Check service permissions
kubectl auth can-i create services
kubectl auth can-i delete services
# Check configmap permissions
kubectl auth can-i create configmaps
kubectl auth can-i delete configmaps
Scripted full permission check
kubectl auth can-i list pods \
&& kubectl auth can-i create pods \
&& kubectl auth can-i delete pods \
&& kubectl auth can-i create services \
&& kubectl auth can-i delete services \
&& kubectl auth can-i create configmaps \
&& kubectl auth can-i delete configmaps \
&& echo "All permissions OK" \
|| echo "Missing required permissions"
Apply the full RBAC configuration
kubectl apply -f resource-managers/kubernetes/integration-tests/dev/spark-rbac.yaml
This creates the following resources:
apiVersion: v1
kind: Namespace
metadata:
name: spark
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: spark-sa
namespace: spark
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spark-role
rules:
- apiGroups:
- ""
resources:
- "pods"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spark-role-binding
subjects:
- kind: ServiceAccount
name: spark-sa
namespace: spark
roleRef:
kind: ClusterRole
name: spark-role
apiGroup: rbac.authorization.k8s.io