Java Apache Spark提交k8s API https错误
Spark版本:2.4.4 k8s版本:1.18 我有一个火花和一个k8s集群 我遵循Spark文档: 当我在k8s上提交带有HTTP代理的作业时:一切正常 但是,在k8s上使用本机HTTPS API时,我遇到了以下错误:Java Apache Spark提交k8s API https错误,java,api,apache-spark,kubernetes,https,Java,Api,Apache Spark,Kubernetes,Https,Spark版本:2.4.4 k8s版本:1.18 我有一个火花和一个k8s集群 我遵循Spark文档: 当我在k8s上提交带有HTTP代理的作业时:一切正常 但是,在k8s上使用本机HTTPS API时,我遇到了以下错误: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provide
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
以前我必须将k8s API证书导入我的主Spark(keytool)
这很奇怪,因为没有匿名用户
我已经尝试将“匿名”用户添加到k8s,但没有效果
如果我尝试不导入API证书,则会出现以下错误:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
我提交作业的命令:
-bash-4.2$ spark-submit --master k8s://https://ip:port --deploy-mode cluster --name spark-pi --class org.apache.spark.examples.SparkPi --conf spark.executor.instances=3 --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark --conf spark.kubernetes.container.image=docker.io/spawnxx/spark:fink-test-2 hdfs://hdfs_ip/user/sacha.pateyron/spark-examples_2.11-2.4.4.jar 1000
Apache Spark本机不支持K8s https API(因此我必须导入证书)
有什么想法吗?解决方案:
HTTPS k8s API使用证书和令牌进行身份验证
首先下载k8s HTTPS API:
在master spark上->
echo -n|openssl s_client -connect ip_master_k8s:port_https_api|openssl x509 -outform PEM > selfsigned_certificate.pem
在k8s主机上获取火花令牌:
kubectl get secret
kubectl describe secret spark-token-XXX
然后在Spark master上提交一份带有证书和令牌的作业:
spark-submit --master k8s://https://ip_master_k8s:port_https_api --deploy-mode cluster --name spark-pi --class org.apache.spark.examples.SparkPi --conf spark.executor.instances=3 --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark --conf spark.kubernetes.container.image=your_image --conf spark.kubernetes.authenticate.submission.caCertFile=selfsigned_certificate.pem --conf spark.kubernetes.authenticate.submission.oauthToken=spark-token-XXX hdfs://ip_master_hdfs/my_jar
群集是否配置了身份验证代理?http代理做什么?不。我使用k8s http代理只是为了避免https TLS API。