############### 14 eI. create a namespace, setup workload identity and test the Spark images ######################
# deploy spark
kubectl create ns $SPARK_NAMESPACE
# Allow the Kubernetes service account to impersonate the 
# Google service account by creating an IAM policy binding 
# between the two. This binding allows the Kubernetes Service 
# account to act as the Google service account.

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:$PROJECT_ID.svc.id.goog[spark-native/default]" \
  $SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com

# Add the iam.gke.io/gcp-service-account=gsa-name@project-id 
# annotation to the Kubernetes service account, using the 
# email address of the Google service account.

kubectl annotate serviceaccount \
  --namespace $SPARK_NAMESPACE \
  default \
  iam.gke.io/gcp-service-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com

kubectl create clusterrolebinding spark-native-sa-admin \
  --clusterrole=cluster-admin --serviceaccount=spark-native:default