incubator-heron icon indicating copy to clipboard operation
incubator-heron copied to clipboard

Published 20 hours ago verified publisher icon apache

Kubernetes scheduler code should support setting a SecurityContext

Open nicknezis opened this issue 4 years ago • 3 comments

Kubernetes scheduler code should support setting a SecurityContext on an analytic's StatefulSet and Pod submissions to allow for pods to spin up in an environment with PodSecurityPolicy enabled.

nicknezis avatar Feb 26 '20 19:02 nicknezis

Hi @nicknezis, I am trying to get acquainted with the code-base and was wondering if this has been resolved yet? I am looking at the following files:

heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java
heron/spi/src/java/org/apache/heron/spi/common/Config.java

Tests @ heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java

I have grep'd the code base for SecurityContext but was unable to find anything, are you referring to the Kubernetes configurations for Security Context? I have located the Config.Builder in the org.apache.heron.spi.common package. From the Config.Builder I will need to use the put method to add the Key-Value pairs for <SecurityContext Field, Value> under the spec::containers::securityContext YAML entry?

I would appreciate any direction you can provide, this is my first ~hour or so rummaging through the code-base.

surahman avatar Aug 26 '21 16:08 surahman

@nicknezis Did you see this?

joshfischer1108 avatar Aug 30 '21 13:08 joshfischer1108

@surahman This has not been resolved yet. Although I believe Kubernetes support for Pod Security Policy may be deprecated and evolving to something else. I believe the Security Context is still worth supporting. I have had some further thoughts on this topic when comparing how other analytic frameworks have solved it.

I've created a Project board to capture various Kubernetes Scheduler improvements I think we should make. Many of the designs mirror what the Apache Spark Kubernetes scheduler does. One of the tickets would solve this SecurityContext issue. Specifically the Pod Template feature in this issue. If we provide support for Pod Templates, then this would provide a mechanism to provide complex Pod Security Context without needing to do extensive mapping from Config properties to Security Context.

nicknezis avatar Aug 30 '21 18:08 nicknezis