[jira] [Created] (YUNIKORN-3136) TaskGroup POD security context modification

Fri, 17 Oct 2025 03:37:59 -0700 

Sabarish kumar created YUNIKORN-3136:
----------------------------------------

             Summary: TaskGroup POD security context modification
                 Key: YUNIKORN-3136
                 URL: https://issues.apache.org/jira/browse/YUNIKORN-3136
             Project: Apache YuniKorn
          Issue Type: Task
            Reporter: Sabarish kumar


We are using Yunikorn as a gang scheduler for spark application. Our internal 
security team check for few mandatory security context parameter, in case if 
security context not present, the pod will block for execution.

As part of this gang scheduler, every time when i trigger a spark job, i am 
able to see that light weight pause TaskGroup(tg-spark-****) Pod getting 
created to make sure my application get the enough resources or not.

The actual problem is our security system scan pod for few security value and 
below value are missing in TG pod and block for execution, this cause our job 
are not properly allocating resources for execution. Need your help in, How to 
configure this parameter in TaskGroup pods.

securityContext:
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

Below is the Helm command we use for installation

helm install yunikorn yunikorn/yunikorn -n yunikorn --version 1.7.0 --set 
embedAdmissionController=false --set enableSchedulerPlugin=true --set 
service.type=NodePort --set podSecurityContext.runAsNonRoot=true --set 
podSecurityContext.seccompProfile.type=RuntimeDefault --set 
schedulerSecurityContext.runAsNonRoot=true --set 
schedulerSecurityContext.seccompProfile.type=RuntimeDefault --set 
schedulerSecurityContext.capabilities.drop=\{ALL} --set 
webSecurityContext.runAsNonRoot=true --set 
webSecurityContext.seccompProfile.type=RuntimeDefault --set 
webSecurityContext.capabilities.drop=\{ALL}


Job level annotation for TaskGroup

annotations:
     yunikorn.apache.org/schedulingPolicyParameters: 
"placeholderTimeoutInSeconds=900 gangSchedulingStyle=Hard"
     yunikorn.apache.org/allow-preemption: "false"
     yunikorn.apache.org/task-group-name: "driver"
     yunikorn.apache.org/task-groups: |-
       [{
           "name": "driver",
           "minMember": 1,
           "minResource": {
             "cpu": "2000.0m",
             "memory": "4.5Gi"
           }
         },
         {
           "name": "executor",
           "minMember": 2,
           "minResource": {
             "cpu": "2000.0m",
             "memory": "2.8Gi"
           }
       }]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to