You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@yunikorn.apache.org by "Peter Bacsko (Jira)" <ji...@apache.org> on 2021/10/05 13:17:00 UTC
[jira] [Comment Edited] (YUNIKORN-871) Admission controller should
only validate yunikorn configmap changes
[ https://issues.apache.org/jira/browse/YUNIKORN-871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17424469#comment-17424469 ]
Peter Bacsko edited comment on YUNIKORN-871 at 10/5/21, 1:16 PM:
-----------------------------------------------------------------
Ok, I think the bare minimum is to modify {{validations.yaml.template}} and {{incubator-yunikorn-release/helm-charts/yunikorn/templates/configmap.yaml}}.
However, two things to consider:
1) Are there any other places where we create configmap? I didn't find any other than {{configmap.yaml}}.
2) How should we handle upgrades? [~kmarton] recommended a follow-up JIRA.
Also, there's this part in {{deployment.yaml}}:
{noformat}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{noformat}
This sets the {{NAMESPACE}} variable which {{admission_util.sh}} will eventually pick up (provided that {{embedAdmissionController}} is true, which it is by default). So what is this {{metadata.namespace}}, how it is set? It's set to "default".
It's also worth pointing out that {{deployments/admission-controllers/scheduler/configs.properties}} also has a namespace setting which happens to be "yunikorn".
I think that we should either use "yunikorn" or "default", but not both.
cc [~kmarton] [~wwei] [~ccondit]
was (Author: pbacsko):
Ok, I think the bare minimum is to modify {{validations.yaml.template}} and {{incubator-yunikorn-release/helm-charts/yunikorn/templates/configmap.yaml}}.
However, two things to consider:
1) Are there any other places where we create configmap? I didn't find any other than {{configmap.yaml}}.
2) How should we handle upgrades? [~kmarton] recommended a follow-up JIRA.
Also, there's this part in {{deployment.yaml}}:
{noformat}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{noformat}
This sets the {{NAMESPACE}} variable which {{admission_util.sh}} will eventually pick up (provided that {{embedAdmissionController}} is true, which it is by default). So what is this {{metadata.namespace}}, how it is set? It's set to "default".
It's also worth pointing out that {{deployments/admission-controllers/scheduler/configs.properties}} also has a namespace setting which happens to be "yunikorn".
I think that we should either use "yunikorn" or "default", but not both.
cc [~kmarton] [~wwei]
> Admission controller should only validate yunikorn configmap changes
> --------------------------------------------------------------------
>
> Key: YUNIKORN-871
> URL: https://issues.apache.org/jira/browse/YUNIKORN-871
> Project: Apache YuniKorn
> Issue Type: Bug
> Components: shim - kubernetes
> Reporter: Peter Bacsko
> Assignee: Peter Bacsko
> Priority: Major
>
> Currently, the admission controller is watching all namespaces and tries to validate all configmap changes. But we only need to validate the yunikorn-related changes.
> Example:
> {noformat}
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z INFO webhook/webhook.go:83 the admission controller started {"port": 9089, "listeningOn": ["/mutate", "/validate-conf"]}
> $ kubectl create namespace testnamespace
> namespace/testnamespace created
> $ kubectl create configmap my-config --from-literal=mykey=myval --namespace=testnamespace
> configmap/my-config created
> $ kubectl get cm
> NAME DATA AGE
> yunikorn-configs 1 11m
> $ kubectl get cm --namespace=testnamespace
> NAME DATA AGE
> my-config 1 17s
> $ kubectl logs yunikorn-admission-controller-695869b547-qtfpg
> ...
> 2021-10-04T11:52:19.379Z INFO webhook/webhook.go:83 the admission controller started {"port": 9089, "listeningOn": ["/mutate", "/validate-conf"]}
> 2021-10-04T12:03:57.806Z INFO webhook/admission_controller.go:304 AdmissionReviewResponse {"allowed": true}
> {noformat}
>
> We need something like the following in {{validations.yaml.template}}:
> {noformat}
> namespaceSelector:
> matchLabels:
> yunikorn
> {noformat}
> This problem was originally found by [~kmarton].
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org