You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@yunikorn.apache.org by "Craig Condit (Jira)" <ji...@apache.org> on 2022/05/25 15:00:00 UTC

[jira] [Commented] (YUNIKORN-966) Retrieve the username from the SparkApp CRD

    [ https://issues.apache.org/jira/browse/YUNIKORN-966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542084#comment-17542084 ] 

Craig Condit commented on YUNIKORN-966:
---------------------------------------

I think if there is a conflict between the spark defined user and the yunikorn user, the yunikorn user needs to take precedence. The reason for this is that currently, it's possible to create an admission controller which forcibly sets the username based on security policy. If we allow this to be overridden by Spark, then that creates a security hole. I will update the PR review with this as well.

> Retrieve the username from the SparkApp CRD
> -------------------------------------------
>
>                 Key: YUNIKORN-966
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-966
>             Project: Apache YuniKorn
>          Issue Type: Sub-task
>          Components: shim - kubernetes
>            Reporter: Chaoran Yu
>            Assignee: ted
>            Priority: Minor
>              Labels: pull-request-available
>
> Currently the shim only looks at the pods to get the value of the label yunikorn.apache.org/username. When the Spark operator plugin is enabled, we should look at the SparkApp CRD for the label.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org