Skip to content

Commit

Permalink
cherry-pick ce08e16
Browse files Browse the repository at this point in the history 
Grant spark-operator write access for the required apigroup

Update aissemble-spark-operator-chart README to reflect the rbac.yaml change

Add template comment for the custom rbac.yaml file notifying why the change is required
  • Loading branch information
@J-Clingerman @ewilkins-csi
J-Clingerman authored and ewilkins-csi committed Sep 17, 2024
1 parent a257495 commit 44d816c
Show file tree
Hide file tree
Showing 3 changed files with 175 additions and 11 deletions.
35 changes: 25 additions & 10 deletions extensions/extensions-helm/aissemble-spark-operator-chart/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,18 +37,33 @@ aissemble-spark-operator-chart:
webhook.enable: false
```
| Property | Description | Required Override | Default |
|------------------------------------|------------------------------------|-------------------|-------------------------------------------------------------------|
| image.repository | The image repository | No | ghcr.io/boozallen/aissemble-spark-operator |
| image.tag | The image tag | No | Chart.Version |
| webhook.enable | Enable webhook server | No | true |
| volumes | Volumes for the pod | No | `spark-logging=/tmp/spark-logging`, `ivy-cache=/home/spark/.ivy2` |
| volumeMounts | Volume Mounts for the pod | No | `spark-logging=/tmp/spark-logging`, `ivy-cache=/home/spark/.ivy2` |
| fullnameOverride | String to override release name | No | spark-operator |
| serviceAccounts.spark.name | Name for the spark service account | No | spark |
| serviceAccounts.sparkoperator.name | Name for the spark service account | No | sparkoperator |
| Property | Description | Required Override | Default |
|------------------------------------|------------------------------------|-------------------|-------------------------------------------------------------------------------------------------|
| image.repository | The image repository | No | ghcr.io/boozallen/aissemble-spark-operator |
| image.tag | The image tag | No | Chart.Version |
| webhook.enable | Enable webhook server | No | true |
| volumes | Volumes for the pod | No | `spark-logging=/tmp/spark-logging`, `ivy-cache=/home/spark/.ivy2` |
| volumeMounts | Volume Mounts for the pod | No | `spark-logging=/tmp/spark-logging`, `ivy-cache=/home/spark/.ivy2` |
| fullnameOverride | String to override release name | No | spark-operator |
| rbac.createClusterRole | See `Migrated Properties` | No | false |
| serviceAccounts.spark.name | Name for the spark service account | No | spark |
| serviceAccounts.sparkoperator.name | Name for the spark service account | No | sparkoperator |
| podSecurityContext | Pod security context | No | runAsUser: 185<br/>runAsGroup: 1000<br/>fsGroup: 1000<br/>fsGroupChangePolicy: "OnRootMismatch" |

## Migrated Properties
The following properties have been migrated from the `spark-operator` subchart to the `aissemble-spark-operator-chart` chart.
Any required overrides should be cognisant of the alternate path. For example:

```yaml
aissemble-spark-operator-chart:
rbac:
createClusterRole: false
```

| Property | Description | Default |
|------------------------|-------------------------------------------------------------------------------|---------|
| rbac.createClusterRole | Create and use RBAC `ClusterRole` resources. Migrated to use modified rules. | true |

# Shared Ivy Cache

Spark uses [Ivy](https://ant.apache.org/ivy/) to resolve and download dependencies for Spark applications. By default,
Expand Down
140 changes: 140 additions & 0 deletions extensions/extensions-helm/aissemble-spark-operator-chart/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
{{- /*
aiSSEMBLE Custom rbac.yaml

Required custom rbac.yaml file that grants the sparkoperator service account
create, delete, and update access to the apigroup apiextensions.k8s.io.

This is necessary for the pipeline-invocation-service to create instances of the
SparkApplication CRD to submit pipelines to the Spark Operator for execution.
*/}}

{{- if or .Values.rbac.create .Values.rbac.createClusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-delete-policy": hook-failed, before-hook-creation
"helm.sh/hook-weight": "-10"
labels:
{{- include "spark-operator.labels" (index .Subcharts "spark-operator") | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- "*"
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
verbs:
- create
- get
- delete
- update
- list
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- get
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- ""
resources:
- resourcequotas
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- update
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- get
- update
- delete
- apiGroups:
- sparkoperator.k8s.io
resources:
- sparkapplications
- sparkapplications/status
- scheduledsparkapplications
- scheduledsparkapplications/status
verbs:
- "*"
{{- if .Values.batchScheduler.enable }}
# required for the `volcano` batch scheduler
- apiGroups:
- scheduling.incubator.k8s.io
- scheduling.sigs.dev
- scheduling.volcano.sh
resources:
- podgroups
verbs:
- "*"
{{- end }}
{{ if .Values.webhook.enable }}
- apiGroups:
- batch
resources:
- jobs
verbs:
- delete
{{- end }}

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
annotations:
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-delete-policy": hook-failed, before-hook-creation
"helm.sh/hook-weight": "-10"
labels:
{{- include "spark-operator.labels" (index .Subcharts "spark-operator") | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "spark-operator.serviceAccountName" (index .Subcharts "spark-operator") }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "spark-operator.fullname" (index .Subcharts "spark-operator") }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
11 changes: 10 additions & 1 deletion extensions/extensions-helm/aissemble-spark-operator-chart/values.template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ spark-operator:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"

rbac:
# -- Create and use RBAC `ClusterRole` resources
# -- Set to false in order to enable overriding with our own RBAC template
createClusterRole: false

# volumes - Operator volumes
volumes:
- name: spark-logging
Expand All @@ -56,4 +61,8 @@ spark-operator:

sparkoperator:
# -- Optional name for the operator service account
name: "sparkoperator"
name: "sparkoperator"

rbac:
# -- Set to True in order to enable overriding with our own RBAC template
createClusterRole: True

0 comments on commit 44d816c

Please sign in to comment.