You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@yunikorn.apache.org by "Wilfred Spiegelenburg (Jira)" <ji...@apache.org> on 2021/04/27 05:02:00 UTC

[jira] [Created] (YUNIKORN-658) default user should not be nobody

Wilfred Spiegelenburg created YUNIKORN-658:
----------------------------------------------

Summary: default user should not be nobody
Key: YUNIKORN-658
URL: https://issues.apache.org/jira/browse/YUNIKORN-658
Project: Apache YuniKorn
Issue Type: Sub-task
Reporter: Wilfred Spiegelenburg

In YUNIKORN-650 the possibility to read a label from a pod was introduced to specify a user for the pod. Allowing a label to specify the user is in itself not an issue. The side effects of doing this could be an issue:
# default behaviour has been changed without documenting it has, this change breaks existing deployments which rely on the old behaviour
# the current behaviour is to default to the ServiceAccountName for the pod. This value is always set. The new default is the user nobody as the label is not set.
# ACLs cannot be relied on anymore in any current deployment due to the default change.
# ACLs can always be bypassed as there is nothing that limits what can be set in the labels, this should be at least announced and documented clearly.

We should default to the old behaviour and only override with the label if the \{{userLabelKey}} parameter is explicitly set on startup. The default config should *not* set the value.

--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: dev-help@yunikorn.apache.org