You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@yunikorn.apache.org by "Craig Condit (Jira)" <ji...@apache.org> on 2023/03/20 22:09:00 UTC

[jira] [Resolved] (YUNIKORN-1627) Admission controller triggers infinite recreation of ReplicaSet objects

     [ https://issues.apache.org/jira/browse/YUNIKORN-1627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Craig Condit resolved YUNIKORN-1627.
------------------------------------
    Fix Version/s: 1.3.0
       Resolution: Fixed

Merged to master.

> Admission controller triggers infinite recreation of ReplicaSet objects
> -----------------------------------------------------------------------
>
>                 Key: YUNIKORN-1627
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-1627
>             Project: Apache YuniKorn
>          Issue Type: Bug
>          Components: shim - kubernetes
>    Affects Versions: 1.2.0
>            Reporter: Craig Condit
>            Assignee: Peter Bacsko
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 1.3.0
>
>
> YUNIKORN-1338 added support in the admission controller for mutating workload objects other than Pods for the purposes of user tracking (and eventual enforcement). This functionality works as designed.
> However, in the case where a ReplicaSet is managed by a Deployment, the changes to the ReplicaSet pod template trigger the associated Deployment to recreate the ReplicaSet without the changes, which the admission controller then updates, triggering another ReplicaSet, etc. ad infinitum. 
> The workaround for now is to set the following in the {{yunikorn-configs}} ConfigMap, which disables the functionality:
> {code:java}
> admissionController.accessControl.bypassAuth: "true"{code}
> The real fix needs to take into account any {{ownerReference}} in a workload which points to another workload type that we manage. This definitely includes ReplicaSet -> Deployment, but could include other workload relationships (more investigation needed on this).
> For ReplicaSets, if the ownerReference is set to a Deployment, it should be sufficient to check for that and assume that the Deployment itself has passed in the appropriate user information due to the admission controller having mutated the Deployment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: dev-help@yunikorn.apache.org