You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@yunikorn.apache.org by GitBox <gi...@apache.org> on 2021/03/10 07:28:40 UTC
[GitHub] [incubator-yunikorn-k8shim] yangwwei opened a new pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
yangwwei opened a new pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] yangwwei commented on a change in pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
yangwwei commented on a change in pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238#discussion_r592141796
##########
File path: pkg/cache/placeholder.go
##########
@@ -29,6 +29,10 @@ import (
"github.com/apache/incubator-yunikorn-k8shim/pkg/common/utils"
)
+// MUST: run the placeholder pod as non-root user
+var runAsUser int64 = 1000
+var runAsGroup int64 = 3000
Review comment:
I thought I have replied but looks like I forgot to hit the send button.
I have added the comments, hopefully that explains things.
The reason to just put 1000/3000 is to follow the recommendation from the K8s security context doc, I think that should be fine.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] kingamarton closed pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
kingamarton closed pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] codecov[bot] edited a comment on pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
codecov[bot] edited a comment on pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238#issuecomment-796481234
# [Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=h1) Report
> Merging [#238](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=desc) (cb2a81e) into [master](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/commit/c47ed51f075c5af5910f71da40e7e68699a9abae?el=desc) (c47ed51) will **decrease** coverage by `0.68%`.
> The diff coverage is `44.09%`.
[](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #238 +/- ##
==========================================
- Coverage 59.75% 59.06% -0.69%
==========================================
Files 35 35
Lines 3133 3200 +67
==========================================
+ Hits 1872 1890 +18
- Misses 1180 1228 +48
- Partials 81 82 +1
```
| [Impacted Files](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=tree) | Coverage Δ | |
|---|---|---|
| [pkg/appmgmt/appmgmt\_recovery.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2FwcG1nbXQvYXBwbWdtdF9yZWNvdmVyeS5nbw==) | `67.50% <0.00%> (-8.18%)` | :arrow_down: |
| [pkg/cache/amprotocol\_mock.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FtcHJvdG9jb2xfbW9jay5nbw==) | `0.00% <0.00%> (ø)` | |
| [pkg/cache/task.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL3Rhc2suZ28=) | `74.40% <ø> (ø)` | |
| [pkg/common/resource.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi9yZXNvdXJjZS5nbw==) | `90.72% <0.00%> (-9.28%)` | :arrow_down: |
| [pkg/common/utils/gang\_utils.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi91dGlscy9nYW5nX3V0aWxzLmdv) | `67.94% <0.00%> (-13.59%)` | :arrow_down: |
| [pkg/controller/application/app\_controller.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbnRyb2xsZXIvYXBwbGljYXRpb24vYXBwX2NvbnRyb2xsZXIuZ28=) | `71.05% <ø> (-0.26%)` | :arrow_down: |
| [...missioncontrollers/webhook/admission\_controller.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL2FkbWlzc2lvbl9jb250cm9sbGVyLmdv) | `33.74% <0.00%> (+1.00%)` | :arrow_up: |
| [pkg/cache/application\_events.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FwcGxpY2F0aW9uX2V2ZW50cy5nbw==) | `43.33% <8.33%> (-9.73%)` | :arrow_down: |
| [pkg/cache/application.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FwcGxpY2F0aW9uLmdv) | `72.57% <62.50%> (-4.17%)` | :arrow_down: |
| [pkg/common/si\_helper.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi9zaV9oZWxwZXIuZ28=) | `63.15% <80.00%> (ø)` | |
| ... and [5 more](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree-more) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=footer). Last update [8f15278...cb2a81e](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] wilfred-s commented on a change in pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
wilfred-s commented on a change in pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238#discussion_r592138151
##########
File path: pkg/cache/placeholder.go
##########
@@ -29,6 +29,10 @@ import (
"github.com/apache/incubator-yunikorn-k8shim/pkg/common/utils"
)
+// MUST: run the placeholder pod as non-root user
+var runAsUser int64 = 1000
+var runAsGroup int64 = 3000
Review comment:
The IDs are just random user and group IDs. The IDs do not have to map to real users in the password file etc. Probably better if they do not. IDs 1000 and above are used by OS tools like `useradd` when adding end users. Anything below that is considered a system account. The linux spec defines a smaller range from 0-499 for the OS, however 1000 is a safer base.
The only thing I would do is keep user and group ID the same: both 1000. The comment seems clear enough.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] kingamarton commented on a change in pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
kingamarton commented on a change in pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238#discussion_r591238948
##########
File path: pkg/cache/placeholder.go
##########
@@ -50,6 +54,10 @@ func newPlaceholder(placeholderName string, app *Application, taskGroup v1alpha1
},
},
Spec: v1.PodSpec{
+ SecurityContext: &v1.PodSecurityContext{
+ RunAsUser: &runAsUser,
+ RunAsGroup: &runAsGroup,
Review comment:
What is the setting for the firs pod? Wouldn't be better to use the same setting instead of defining some default user and group?
##########
File path: pkg/cache/placeholder.go
##########
@@ -29,6 +29,10 @@ import (
"github.com/apache/incubator-yunikorn-k8shim/pkg/common/utils"
)
+// MUST: run the placeholder pod as non-root user
+var runAsUser int64 = 1000
+var runAsGroup int64 = 3000
Review comment:
What these values mens? I think we should add some comments to explain why this values are used
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-yunikorn-k8shim] codecov[bot] commented on pull request #238: [YUNIKORN-559] Placeholder pods must be running as a non-root user.
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on pull request #238:
URL: https://github.com/apache/incubator-yunikorn-k8shim/pull/238#issuecomment-796481234
# [Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=h1) Report
> Merging [#238](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=desc) (cb2a81e) into [master](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/commit/c47ed51f075c5af5910f71da40e7e68699a9abae?el=desc) (c47ed51) will **decrease** coverage by `0.68%`.
> The diff coverage is `44.09%`.
[](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=tree)
```diff
@@ Coverage Diff @@
## master #238 +/- ##
==========================================
- Coverage 59.75% 59.06% -0.69%
==========================================
Files 35 35
Lines 3133 3200 +67
==========================================
+ Hits 1872 1890 +18
- Misses 1180 1228 +48
- Partials 81 82 +1
```
| [Impacted Files](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=tree) | Coverage Δ | |
|---|---|---|
| [pkg/appmgmt/appmgmt\_recovery.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2FwcG1nbXQvYXBwbWdtdF9yZWNvdmVyeS5nbw==) | `67.50% <0.00%> (-8.18%)` | :arrow_down: |
| [pkg/cache/amprotocol\_mock.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FtcHJvdG9jb2xfbW9jay5nbw==) | `0.00% <0.00%> (ø)` | |
| [pkg/cache/task.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL3Rhc2suZ28=) | `74.40% <ø> (ø)` | |
| [pkg/common/resource.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi9yZXNvdXJjZS5nbw==) | `90.72% <0.00%> (-9.28%)` | :arrow_down: |
| [pkg/common/utils/gang\_utils.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi91dGlscy9nYW5nX3V0aWxzLmdv) | `67.94% <0.00%> (-13.59%)` | :arrow_down: |
| [pkg/controller/application/app\_controller.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbnRyb2xsZXIvYXBwbGljYXRpb24vYXBwX2NvbnRyb2xsZXIuZ28=) | `71.05% <ø> (-0.26%)` | :arrow_down: |
| [...missioncontrollers/webhook/admission\_controller.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL3BsdWdpbi9hZG1pc3Npb25jb250cm9sbGVycy93ZWJob29rL2FkbWlzc2lvbl9jb250cm9sbGVyLmdv) | `33.74% <0.00%> (+1.00%)` | :arrow_up: |
| [pkg/cache/application\_events.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FwcGxpY2F0aW9uX2V2ZW50cy5nbw==) | `43.33% <8.33%> (-9.73%)` | :arrow_down: |
| [pkg/cache/application.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NhY2hlL2FwcGxpY2F0aW9uLmdv) | `72.57% <62.50%> (-4.17%)` | :arrow_down: |
| [pkg/common/si\_helper.go](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree#diff-cGtnL2NvbW1vbi9zaV9oZWxwZXIuZ28=) | `63.15% <80.00%> (ø)` | |
| ... and [5 more](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238/diff?src=pr&el=tree-more) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=continue).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=footer). Last update [8f15278...cb2a81e](https://codecov.io/gh/apache/incubator-yunikorn-k8shim/pull/238?src=pr&el=lastupdated). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org