[
https://issues.apache.org/jira/browse/YUNIKORN-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18052957#comment-18052957
]
Wilfred Spiegelenburg commented on YUNIKORN-3136:
-------------------------------------------------
I would recommend to use the values.yaml file and specify your security context
there for the YuniKorn deployment instead of rendering it via a list of
{{--set}} options on the command line (see YUNIKORN-2990).
The pod security context in the taskgroup definition is already there. There is
a more focussed Jira open to add specific setting from a hardening perspective.
Marking this as a duplicate of YUNIKORN-3132
> TaskGroup POD security context modification
> -------------------------------------------
>
> Key: YUNIKORN-3136
> URL: https://issues.apache.org/jira/browse/YUNIKORN-3136
> Project: Apache YuniKorn
> Issue Type: Task
> Reporter: Sabarish kumar
> Priority: Major
>
> We are using Yunikorn as a gang scheduler for spark application. Our internal
> security team check for few mandatory security context parameter, in case if
> security context not present, the pod will block for execution.
> As part of this gang scheduler, every time when i trigger a spark job, i am
> able to see that light weight pause TaskGroup(tg-spark-****) Pod getting
> created to make sure my application get the enough resources or not.
> The actual problem is our security system scan pod for few security value and
> below value are missing in TG pod and block for execution, this cause our job
> are not properly allocating resources for execution. Need your help in, How
> to configure this parameter in TaskGroup pods.
> securityContext:
> capabilities:
> drop:
> - ALL
> seccompProfile:
> type: RuntimeDefault
> Below is the Helm command we use for installation
> helm install yunikorn yunikorn/yunikorn -n yunikorn --version 1.7.0 --set
> embedAdmissionController=false --set enableSchedulerPlugin=true --set
> service.type=NodePort --set podSecurityContext.runAsNonRoot=true --set
> podSecurityContext.seccompProfile.type=RuntimeDefault --set
> schedulerSecurityContext.runAsNonRoot=true --set
> schedulerSecurityContext.seccompProfile.type=RuntimeDefault --set
> schedulerSecurityContext.capabilities.drop=\{ALL} --set
> webSecurityContext.runAsNonRoot=true --set
> webSecurityContext.seccompProfile.type=RuntimeDefault --set
> webSecurityContext.capabilities.drop=\{ALL}
> Job level annotation for TaskGroup
> annotations:
> yunikorn.apache.org/schedulingPolicyParameters:
> "placeholderTimeoutInSeconds=900 gangSchedulingStyle=Hard"
> yunikorn.apache.org/allow-preemption: "false"
> yunikorn.apache.org/task-group-name: "driver"
> yunikorn.apache.org/task-groups: |-
> [{
> "name": "driver",
> "minMember": 1,
> "minResource": {
> "cpu": "2000.0m",
> "memory": "4.5Gi"
> }
> },
> {
> "name": "executor",
> "minMember": 2,
> "minResource": {
> "cpu": "2000.0m",
> "memory": "2.8Gi"
> }
> }]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
