[
https://issues.apache.org/jira/browse/YUNIKORN-871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17424469#comment-17424469
]
Peter Bacsko commented on YUNIKORN-871:
---------------------------------------
Ok, I think the bare minimum is to modify {{validations.yaml.template}} and
{{incubator-yunikorn-release/helm-charts/yunikorn/templates/configmap.yaml}}.
However, two things to consider:
1) Are there any other places where we create configmap? I didn't find any
other than {{configmap.yaml}}.
2) How should we handle upgrades? [~kmarton] recommended a follow-up JIRA.
Also, there's this part in {{deployment.yaml}}:
{noformat}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{noformat}
This sets the {{NAMESPACE}} variable which {{admission_util.sh}} will
eventually pick up (provided that {{embedAdmissionController}} is true, which
it is by default). So what is this {{metadata.namespace}}, how it is set? It's
set to "default".
It's also worth pointing out that
{{deployments/admission-controllers/scheduler/configs.properties}} also has a
namespace setting which happens to be "yunikorn".
I think that we should either use "yunikorn" or "default", but not both.
cc [~kmarton] [~wwei]
> Admission controller should only validate yunikorn configmap changes
> --------------------------------------------------------------------
>
> Key: YUNIKORN-871
> URL: https://issues.apache.org/jira/browse/YUNIKORN-871
> Project: Apache YuniKorn
> Issue Type: Bug
> Components: shim - kubernetes
> Reporter: Peter Bacsko
> Assignee: Peter Bacsko
> Priority: Major
>
> Currently, the admission controller is watching all namespaces and tries to
> validate all configmap changes. But we only need to validate the
> yunikorn-related changes.
> Example:
> {noformat}
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z INFO webhook/webhook.go:83 the admission
> controller started {"port": 9089, "listeningOn": ["/mutate",
> "/validate-conf"]}
> $ kubectl create namespace testnamespace
> namespace/testnamespace created
> $ kubectl create configmap my-config --from-literal=mykey=myval
> --namespace=testnamespace
> configmap/my-config created
> $ kubectl get cm
> NAME DATA AGE
> yunikorn-configs 1 11m
> $ kubectl get cm --namespace=testnamespace
> NAME DATA AGE
> my-config 1 17s
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z INFO webhook/webhook.go:83 the admission
> controller started {"port": 9089, "listeningOn": ["/mutate",
> "/validate-conf"]}
> 2021-10-04T12:03:57.806Z INFO webhook/admission_controller.go:304
> AdmissionReviewResponse {"allowed": true}
> {noformat}
>
> We need something like the following in {{validations.yaml.template}}:
> {noformat}
> namespaceSelector:
> matchLabels:
> yunikorn
> {noformat}
> This problem was originally found by [~kmarton].
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
