[
https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16276159#comment-16276159
]
Xuan Gong commented on YARN-7468:
---------------------------------
Thanks, [~clayb] for creating the Jira.
In general, we are trying to isolate network access for applications launched
by users/groups. Ideally, YARN should be able to isolate both of egress and
ingress network for launched containers. For the first step, we only focus on
egress network isolation(We will look at ingress network in the future). For
example, we only allow privileged users the ability to copy sensitive data out
from a cluster.
[~clayb] has described many interesting use-cases from user's perspective. From
YARN's perspective,
* YARN will not/should not enforce isolation itself - admins should use their
tools like iptables
* YARN should tag the traffic going out of YARN containers to enable DMZ like
use-cases
Here, we can follow in the footsteps of YARN-2140; using the same cgroups
network classifier, we can filter the packets without having to use network
namespaces.
> Provide means for container network policy control
> --------------------------------------------------
>
> Key: YARN-7468
> URL: https://issues.apache.org/jira/browse/YARN-7468
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Clay B.
> Priority: Minor
>
> To prevent data exfiltration from a YARN cluster, it would be very helpful to
> have "firewall" rules able to map to a user/queue's containers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
