You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@yunikorn.apache.org by pb...@apache.org on 2022/11/29 10:16:45 UTC

[yunikorn-site] branch master updated: [YUNIKORN-1432] User/group resolution: update documentation about configmaps (#219)

This is an automated email from the ASF dual-hosted git repository.

pbacsko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-site.git


The following commit(s) were added to refs/heads/master by this push:
     new c737c7b78 [YUNIKORN-1432] User/group resolution: update documentation about configmaps (#219)
c737c7b78 is described below

commit c737c7b789e897c078eaaa149f0f707b6bf14ba1
Author: Peter Bacsko <pb...@cloudera.com>
AuthorDate: Tue Nov 29 11:16:32 2022 +0100

    [YUNIKORN-1432] User/group resolution: update documentation about configmaps (#219)
    
    Closes: #219
    
    Signed-off-by: Peter Bacsko <pb...@cloudera.com>
---
 docs/user_guide/usergroup_resolution.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/user_guide/usergroup_resolution.md b/docs/user_guide/usergroup_resolution.md
index bc3241ed2..34d4e65dd 100644
--- a/docs/user_guide/usergroup_resolution.md
+++ b/docs/user_guide/usergroup_resolution.md
@@ -105,16 +105,16 @@ Group resolution is no longer necessary inside the shim.
 
 ### Configuring the admission controller
 
-The following environment variables are available for the admission controller:
+The admission controller can be configured with the `yunikorn-configs` configmap. All entries start with the prefix `admissionController.accessControl.`.
 
 |Variable|Default value|Description|
 |--|--|--|
-|`ADMISSION_CONTROLLER_BYPASS_AUTH`|false|Allow any external user to create pods with user information set|
-|`ADMISSION_CONTROLLER_TRUST_CONTROLLERS`|true|Allow Kubernetes controller users to create pods with user information set|
-|`ADMISSION_CONTROLLER_SYSTEM_USERS`|"system:serviceaccount:kube-system:*"|Regular expression for the allowed controller service account list|
-|`ADMISSION_CONTROLLER_EXTERNAL_USERS`|""|Regular expression for the allowed external user list|
-|`ADMISSION_CONTROLLER_EXTERNAL_GROUPS`|""|Regular expression for the allowed external group list|
+|`bypassAuth`|false|Allow any external user to create pods with user information set|
+|`trustControllers`|true|Allow Kubernetes controller users to create pods with user information set|
+|`systemUsers`|"^system:serviceaccount:kube-system:"|Regular expression for the allowed controller service account list|
+|`externalUsers`|""|Regular expression for the allowed external user list|
+|`externalGroups`|""|Regular expression for the allowed external group list|
 
-If `ADMISSION_CONTROLLER_BYPASS_AUTH` is set to true the admission controller will not add the annotation to a pod if the annotation is not present and the deprecated user labell is set. If the annotation is not set and the user label is not set the new annotation will be added. In the case that `BYPASS_AUTH` is false, the default, the admission controller will always add the new annotation, regardless of the existence of the deprecated label.
+If `bypassAuth` is set to true the admission controller will not add the annotation to a pod if the annotation is not present and the deprecated user labell is set. If the annotation is not set and the user label is not set the new annotation will be added. In the case that `bypassAuth` is false, the default, the admission controller will always add the new annotation, regardless of the existence of the deprecated label.
 
-In certain scenarios, users and groups must be provided to Yunikorn upon submission because the user and group management is provided by external systems and the lookup mechanism is not trivial. In these cases, the `ADMISSION_CONTROLLER_EXTERNAL_USERS` and `ADMISSION_CONTROLLER_EXTERNAL_GROUPS` can be configured which are treated as regular expressions. Matching users and groups are allowed to set the `yunikorn.apache.org/user.info` annotation to any arbitrary value. Since this has impli [...]
+In certain scenarios, users and groups must be provided to Yunikorn upon submission because the user and group management is provided by external systems and the lookup mechanism is not trivial. In these cases, the `externalUsers` and `externalGroups` can be configured which are treated as regular expressions. Matching users and groups are allowed to set the `yunikorn.apache.org/user.info` annotation to any arbitrary value. Since this has implications which affects scheduling inside Yuni [...]