From 3bb594a8feee65ab65ee65207e76b8630c9c2d93 Mon Sep 17 00:00:00 2001 From: zwangsheng <2213335496@qq.com> Date: Mon, 12 Dec 2022 16:57:49 +0800 Subject: [PATCH] [KYUUBI #3902][DOC] Add ServiceAccount related content in kyuubi deploy on kubernetes ### _Why are the changes needed?_ Add `Kyuubi Deploy On Kubernetes ServiceAccount-related` documentation, and explicitly assert serviceAccountName: default as the default configuration in the template file `${KYUUBI_HOME}/docker/kyuubi-pod(deployment).yaml` to make it easier for users to set. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #3906 from zwangsheng/doc/kyuubi_on_k8s_service_account. Closes #3902 e0ed06d6 [Cheng Pan] Update docs/deployment/kyuubi_on_kubernetes.md 6cd29dd0 [zwangsheng] build doc for serviceAccount Lead-authored-by: zwangsheng <2213335496@qq.com> Co-authored-by: Cheng Pan Signed-off-by: Cheng Pan --- docker/kyuubi-deployment.yaml | 1 + docker/kyuubi-pod.yaml | 1 + docs/deployment/kyuubi_on_kubernetes.md | 16 ++++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/docker/kyuubi-deployment.yaml b/docker/kyuubi-deployment.yaml index 5babeb7c1..808e2d6d7 100644 --- a/docker/kyuubi-deployment.yaml +++ b/docker/kyuubi-deployment.yaml @@ -48,6 +48,7 @@ spec: labels: app: kyuubi-server spec: + serviceAccountName: default containers: - name: kyuubi-server # TODO: replace this with the stable tag diff --git a/docker/kyuubi-pod.yaml b/docker/kyuubi-pod.yaml index ed3e723fb..bbc327262 100644 --- a/docker/kyuubi-pod.yaml +++ b/docker/kyuubi-pod.yaml @@ -48,6 +48,7 @@ metadata: labels: app: kyuubi-server spec: + serviceAccountName: default containers: - name: kyuubi-server # TODO: replace this with the stable tag diff --git a/docs/deployment/kyuubi_on_kubernetes.md b/docs/deployment/kyuubi_on_kubernetes.md index 91ebbc574..42c2ab3c8 100644 --- a/docs/deployment/kyuubi_on_kubernetes.md +++ b/docs/deployment/kyuubi_on_kubernetes.md @@ -72,6 +72,22 @@ You can deploy single-node Kyuubi through `${KYUUBI_HOME}/docker/kyuubi-pod.yaml Also, you can use `${KYUUBI_HOME}/docker/kyuubi-service.yaml` to deploy Kyuubi Service. +### [Optional] ServiceAccount + +According to [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), we need to give kyuubi server the corresponding kubernetes privileges for `created/list/delete` engine pods in kubernetes. + +You should create your serviceAccount ( or reuse account with the appropriate privileges ) and set your serviceAccountName for kyuubi pod, which you can find template in `${KYUUBI_HOME}/docker/kyuubi-deployment.yaml` or `${KYUUBI_HOME}/docker/kyuubi-pod.yaml`. + +For example, you can create serviceAccount by following command: + +```shell +kubectl create serviceAccount kyuubi -n + +kubectl create rolebinding kyuubi-role --role=edit --serviceAccount=:kyuubi --namespace= +``` + +See more related details in [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) and [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). + ## Config You can configure Kyuubi the old-fashioned way by placing kyuubi-default.conf inside the image. Kyuubi do not recommend using this way on Kubernetes.