[jira] [Comment Edited] (YUNIKORN-3132) Pod & Container Security Context for placeholder pods to be hardened

Wed, 04 Mar 2026 22:56:55 -0800 


    [ 
https://issues.apache.org/jira/browse/YUNIKORN-3132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18063119#comment-18063119
 ] 

Wilfred Spiegelenburg edited comment on YUNIKORN-3132 at 3/5/26 6:55 AM:
-------------------------------------------------------------------------

Please open a documentation PR also. We should add these values to the [config 
docs|https://yunikorn.apache.org/docs/next/user_guide/service_config#service-settings]
 

 
{code:java}
  service.placeholderFsGroup
  service.placeholderRunAsGroup
  service.placeholderRunAsUser{code}
defaults if values are not set are: 65535:65535 for the user and group as per 
the 
[image|https://github.com/kubernetes/kubernetes/blob/master/build/pause/Dockerfile].
 

 


was (Author: wifreds):
Please open a documentation PR also. We should add these values to the [config 
docs|https://yunikorn.apache.org/docs/next/user_guide/service_config#service-settings]
 

 
{code:java}
  service.placeholderFsGroup
  service.placeholderRunAsGroup
  service.placeholderRunAsUser{code}
defaults if values are not set are: 65534 as per the image.

 

> Pod & Container Security Context for placeholder pods to be hardened
> --------------------------------------------------------------------
>
>                 Key: YUNIKORN-3132
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-3132
>             Project: Apache YuniKorn
>          Issue Type: Improvement
>          Components: shim - kubernetes
>            Reporter: Shubham Mishra
>            Assignee: Aditya Maheshwari
>            Priority: Major
>              Labels: pull-request-available
>
> Currently the security context for placeholder pods only sets non root user 
> and groups - 
> [https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
> {code:java}
> Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:  
> &runAsUser, RunAsGroup: &runAsGroup, },{code}
> In many enterprise secure environments, this might not be enough and should 
> be more restrictive by design (unless it breaks any functionality).
> Proposing to modify the placeholder.go to add following 
>  - *podSecurityContext:*
> {code:java}
> podSecurityContext:
>     fsGroup:3000
>     runAsGroup:3000
>     runAsNonRoot: true
>     runAsUser:1000{code}
>  * *containerSecurityContext:*
> {code:java}
> containerSecurityContext:
>     privileged: false
>     allowPrivilegeEscalation: false
>     readOnlyRootFilesystem: true
>     capabilities:
>         drop:
>           -all{code}
>  * *hostNetwork: false*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to