Skip to content

[SPARK-57106] Disallow watched namespace changes via dynamic config#692

Draft
dongjoon-hyun wants to merge 2 commits into
apache:mainfrom
dongjoon-hyun:SPARK-57106
Draft

[SPARK-57106] Disallow watched namespace changes via dynamic config#692
dongjoon-hyun wants to merge 2 commits into
apache:mainfrom
dongjoon-hyun:SPARK-57106

Conversation

@dongjoon-hyun
Copy link
Copy Markdown
Member

@dongjoon-hyun dongjoon-hyun commented May 27, 2026

What changes were proposed in this pull request?

Stop the dynamic-config reconciler from changing the operator's watched namespaces. The namespaceUpdater wiring is removed from SparkOperatorConfigMapReconciler, and the now-orphaned updateWatchingNamespaces method (and registeredSparkControllers field) are removed from SparkOperator. watchedNamespaces is set once in the constructor from Helm values.

Why are the changes needed?

A write to the dynamic-config ConfigMap could expand the operator's watched namespaces at runtime, widening its blast radius without a restart or RBAC change. Watched-namespace scope should be defined at deploy time only.

Does this PR introduce any user-facing change?

Yes. Changes to the watched-namespaces key in the dynamic-config ConfigMap are now ignored. Operators must be restarted with updated Helm values to change watched namespaces. Other dynamic-config keys are unchanged.

How was this patch tested?

Updated SparkOperatorConfigMapReconcilerTest and SparkOperatorTest (removed the obsolete namespace-update test). Verified with gradle :spark-operator:test.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Code (Opus 4.7)

peter-toth
peter-toth approved these changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@peter-toth peter-toth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but do we need a config to trigger legacy behaviour or was it always unsafe?

@dongjoon-hyun
Copy link
Copy Markdown
Member Author

dongjoon-hyun commented May 27, 2026

It's always unsafe and the user needs to reinstall via Helm.

Operators must be restarted with updated Helm values to change watched namespaces.

@dongjoon-hyun
Copy link
Copy Markdown
Member Author

dongjoon-hyun commented May 27, 2026

Thank you, @peter-toth and @viirya .

@aaruna
Copy link
Copy Markdown
Contributor

aaruna commented May 27, 2026
edited
Loading

It's always unsafe and the user needs to reinstall via Helm.

@dongjoon-hyun Pls clarify what's unsafe.
The Spark operator admins control access to the spark operator namespace and so control the dynamic config. access. So as long as the operator is only looking at the configmap within its namespace, how is this a concern? Is there some additional context?

dongjoon-hyun
dongjoon-hyun commented May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some requests to keep the previous features because it's protected safely in the properly configured environments. I'm holding on this PR and trying to keep the existing features in a way.

@dongjoon-hyun dongjoon-hyun marked this pull request as draft May 27, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@viirya viirya viirya approved these changes

@peter-toth peter-toth peter-toth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dongjoon-hyun @aaruna @viirya @peter-toth