Skip to content

Added comprehensive Kerberos authentication support for Spark 3.1+ #2630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Added comprehensive Kerberos authentication support for Spark 3.1+ #2630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
91476ae
Add comprehensive Kerberos authentication support for Apache Spark ap…
josecsotomorales Aug 19, 2025
fcbe33a
Apply suggestions from code review
josecsotomorales Aug 21, 2025
abb78f8
Fix Helm chart build issues and version consistency
josecsotomorales Aug 21, 2025
ed69652
Delete kerberos-support.md
josecsotomorales Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions api/v1beta2/sparkapplication_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,9 @@ type SparkApplicationSpec struct {
// scheduler backend since Spark 3.0.
// +optional
DynamicAllocation *DynamicAllocation `json:"dynamicAllocation,omitempty"`
// Kerberos configures Kerberos authentication for Hadoop access.
// +optional
Kerberos *KerberosSpec `json:"kerberos,omitempty"`
}

// SparkApplicationStatus defines the observed state of SparkApplication
Expand Down Expand Up @@ -604,6 +607,9 @@ const (
// SecretTypeHadoopDelegationToken is for secrets from an Hadoop delegation token that needs the
// environment variable HADOOP_TOKEN_FILE_LOCATION.
SecretTypeHadoopDelegationToken SecretType = "HadoopDelegationToken"
// SecretTypeKerberosKeytab is for secrets from a Kerberos keytab file that needs the
// environment variable KRB5_KEYTAB_FILE.
SecretTypeKerberosKeytab SecretType = "KerberosKeytab"
// SecretTypeGeneric is for secrets that needs no special handling.
SecretTypeGeneric SecretType = "Generic"
)
Expand Down Expand Up @@ -717,3 +723,41 @@ type DynamicAllocation struct {
// +optional
ShuffleTrackingTimeout *int64 `json:"shuffleTrackingTimeout,omitempty"`
}

// KerberosSpec defines the Kerberos authentication configuration for Hadoop access.
type KerberosSpec struct {
// Principal is the Kerberos principal name for authentication.
// +optional
Principal *string `json:"principal,omitempty"`
// KeytabSecret is the name of the secret containing the Kerberos keytab file.
// +optional
KeytabSecret *string `json:"keytabSecret,omitempty"`
// KeytabFile is the path to the keytab file within the keytab secret.
// Defaults to "krb5.keytab" if not specified.
// +optional
KeytabFile *string `json:"keytabFile,omitempty"`
// ConfigSecret is the name of the secret containing the Kerberos configuration file (krb5.conf).
// +optional
ConfigSecret *string `json:"configSecret,omitempty"`
// ConfigFile is the path to the krb5.conf file within the config secret.
// Defaults to "krb5.conf" if not specified.
// +optional
ConfigFile *string `json:"configFile,omitempty"`
// Realm is the Kerberos realm. This is optional and can be inferred from the principal.
// +optional
Realm *string `json:"realm,omitempty"`
// KDC is the Key Distribution Center address.
// +optional
KDC *string `json:"kdc,omitempty"`
// RenewalCredentials specifies the credential renewal strategy.
// Valid values are "keytab" (default) and "ccache".
// "keytab" enables automatic renewal using the provided keytab.
// "ccache" uses existing ticket cache (requires manual ticket management).
// +optional
// +kubebuilder:validation:Enum={keytab,ccache}
RenewalCredentials *string `json:"renewalCredentials,omitempty"`
// EnabledServices specifies which Hadoop services should have Kerberos credentials enabled.
// Defaults to ["hadoopfs", "hbase", "hive"] if not specified.
// +optional
EnabledServices []string `json:"enabledServices,omitempty"`
}
65 changes: 65 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions charts/spark-operator-chart/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,12 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum
| spark.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the spark applications pods. |
| spark.rbac.create | bool | `true` | Specifies whether to create RBAC resources for spark applications. |
| spark.rbac.annotations | object | `{}` | Optional annotations for the spark application RBAC resources. |
| spark.kerberos.enable | bool | `false` | Enable Kerberos authentication support for Spark applications. |
| spark.kerberos.defaultPrincipal | string | `""` | Default Kerberos principal for authentication (can be overridden per application). Example: [email protected] |
| spark.kerberos.defaultRealm | string | `""` | Default Kerberos realm (can be overridden per application). Example: EXAMPLE.COM |
| spark.kerberos.defaultKDC | string | `""` | Default Kerberos KDC address (can be overridden per application). Example: kdc.example.com:88 |
| spark.kerberos.defaultKeytabSecret | string | `""` | Name of the secret containing the default Kerberos keytab file. This secret should contain a file named 'krb5.keytab' |
| spark.kerberos.defaultConfigSecret | string | `""` | Name of the secret containing the default Kerberos configuration (krb5.conf). This secret should contain a file named 'krb5.conf' |
| prometheus.metrics.enable | bool | `true` | Specifies whether to enable prometheus metrics scraping. |
| prometheus.metrics.port | int | `8080` | Metrics port. |
| prometheus.metrics.portName | string | `"metrics"` | Metrics port name. |
Expand Down
51 changes: 51 additions & 0 deletions charts/spark-operator-chart/crds/sparkoperator.k8s.io_scheduledsparkapplications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10342,6 +10342,57 @@ spec:
items:
type: string
type: array
kerberos:
description: Kerberos configures Kerberos authentication for Hadoop
access.
properties:
configFile:
description: |-
ConfigFile is the path to the krb5.conf file within the config secret.
Defaults to "krb5.conf" if not specified.
type: string
configSecret:
description: ConfigSecret is the name of the secret containing
the Kerberos configuration file (krb5.conf).
type: string
enabledServices:
description: |-
EnabledServices specifies which Hadoop services should have Kerberos credentials enabled.
Defaults to ["hadoopfs", "hbase", "hive"] if not specified.
items:
type: string
type: array
kdc:
description: KDC is the Key Distribution Center address.
type: string
keytabFile:
description: |-
KeytabFile is the path to the keytab file within the keytab secret.
Defaults to "krb5.keytab" if not specified.
type: string
keytabSecret:
description: KeytabSecret is the name of the secret containing
the Kerberos keytab file.
type: string
principal:
description: Principal is the Kerberos principal name for
authentication.
type: string
realm:
description: Realm is the Kerberos realm. This is optional
and can be inferred from the principal.
type: string
renewalCredentials:
description: |-
RenewalCredentials specifies the credential renewal strategy.
Valid values are "keytab" (default) and "ccache".
"keytab" enables automatic renewal using the provided keytab.
"ccache" uses existing ticket cache (requires manual ticket management).
enum:
- keytab
- ccache
type: string
type: object
mainApplicationFile:
description: MainFile is the path to a bundled JAR, Python, or
R file of the application.
Expand Down
50 changes: 50 additions & 0 deletions charts/spark-operator-chart/crds/sparkoperator.k8s.io_sparkapplications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10260,6 +10260,56 @@ spec:
items:
type: string
type: array
kerberos:
description: Kerberos configures Kerberos authentication for Hadoop
access.
properties:
configFile:
description: |-
ConfigFile is the path to the krb5.conf file within the config secret.
Defaults to "krb5.conf" if not specified.
type: string
configSecret:
description: ConfigSecret is the name of the secret containing
the Kerberos configuration file (krb5.conf).
type: string
enabledServices:
description: |-
EnabledServices specifies which Hadoop services should have Kerberos credentials enabled.
Defaults to ["hadoopfs", "hbase", "hive"] if not specified.
items:
type: string
type: array
kdc:
description: KDC is the Key Distribution Center address.
type: string
keytabFile:
description: |-
KeytabFile is the path to the keytab file within the keytab secret.
Defaults to "krb5.keytab" if not specified.
type: string
keytabSecret:
description: KeytabSecret is the name of the secret containing
the Kerberos keytab file.
type: string
principal:
description: Principal is the Kerberos principal name for authentication.
type: string
realm:
description: Realm is the Kerberos realm. This is optional and
can be inferred from the principal.
type: string
renewalCredentials:
description: |-
RenewalCredentials specifies the credential renewal strategy.
Valid values are "keytab" (default) and "ccache".
"keytab" enables automatic renewal using the provided keytab.
"ccache" uses existing ticket cache (requires manual ticket management).
enum:
- keytab
- ccache
type: string
type: object
mainApplicationFile:
description: MainFile is the path to a bundled JAR, Python, or R file
of the application.
Expand Down
25 changes: 25 additions & 0 deletions charts/spark-operator-chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,31 @@ spark:
# -- Optional annotations for the spark application RBAC resources.
annotations: {}

# Kerberos configuration for Spark applications
kerberos:
# -- Enable Kerberos authentication support for Spark applications.
enable: false

# -- Default Kerberos principal for authentication (can be overridden per application).
# Example: [email protected]
defaultPrincipal: ""

# -- Default Kerberos realm (can be overridden per application).
# Example: EXAMPLE.COM
defaultRealm: ""

# -- Default Kerberos KDC address (can be overridden per application).
# Example: kdc.example.com:88
defaultKDC: ""

# -- Name of the secret containing the default Kerberos keytab file.
# This secret should contain a file named 'krb5.keytab'
defaultKeytabSecret: ""

# -- Name of the secret containing the default Kerberos configuration (krb5.conf).
# This secret should contain a file named 'krb5.conf'
defaultConfigSecret: ""

prometheus:
metrics:
# -- Specifies whether to enable prometheus metrics scraping.
Expand Down
51 changes: 51 additions & 0 deletions config/crd/bases/sparkoperator.k8s.io_scheduledsparkapplications.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10342,6 +10342,57 @@ spec:
items:
type: string
type: array
kerberos:
description: Kerberos configures Kerberos authentication for Hadoop
access.
properties:
configFile:
description: |-
ConfigFile is the path to the krb5.conf file within the config secret.
Defaults to "krb5.conf" if not specified.
type: string
configSecret:
description: ConfigSecret is the name of the secret containing
the Kerberos configuration file (krb5.conf).
type: string
enabledServices:
description: |-
EnabledServices specifies which Hadoop services should have Kerberos credentials enabled.
Defaults to ["hadoopfs", "hbase", "hive"] if not specified.
items:
type: string
type: array
kdc:
description: KDC is the Key Distribution Center address.
type: string
keytabFile:
description: |-
KeytabFile is the path to the keytab file within the keytab secret.
Defaults to "krb5.keytab" if not specified.
type: string
keytabSecret:
description: KeytabSecret is the name of the secret containing
the Kerberos keytab file.
type: string
principal:
description: Principal is the Kerberos principal name for
authentication.
type: string
realm:
description: Realm is the Kerberos realm. This is optional
and can be inferred from the principal.
type: string
renewalCredentials:
description: |-
RenewalCredentials specifies the credential renewal strategy.
Valid values are "keytab" (default) and "ccache".
"keytab" enables automatic renewal using the provided keytab.
"ccache" uses existing ticket cache (requires manual ticket management).
enum:
- keytab
- ccache
type: string
type: object
mainApplicationFile:
description: MainFile is the path to a bundled JAR, Python, or
R file of the application.
Expand Down
Loading