You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@heron.apache.org by GitBox <gi...@apache.org> on 2020/02/26 19:16:33 UTC
[GitHub] [incubator-heron] nicknezis opened a new issue #3474: Kubernetes
scheduler code should support setting a SecurityContext
nicknezis opened a new issue #3474: Kubernetes scheduler code should support setting a SecurityContext
URL: https://github.com/apache/incubator-heron/issues/3474
Kubernetes scheduler code should support setting a SecurityContext on an analytic's StatefulSet and Pod submissions to allow for pods to spin up in an environment with PodSecurityPolicy enabled.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-heron] joshfischer1108 commented on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
joshfischer1108 commented on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-908350348
@nicknezis Did you see this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] nicknezis commented on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
nicknezis commented on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-908593378
@surahman This has not been resolved yet. Although I believe Kubernetes support for Pod Security Policy may be deprecated and evolving to something else. I believe the Security Context is still worth supporting. I have had some further thoughts on this topic when comparing how other analytic frameworks have solved it.
I've created a [Project board](https://github.com/apache/incubator-heron/projects/5) to capture various Kubernetes Scheduler improvements I think we should make. Many of the designs mirror what the Apache Spark Kubernetes scheduler does. One of the tickets would solve this SecurityContext issue. Specifically the Pod Template feature in [this issue](https://github.com/apache/incubator-heron/issues/3707). If we provide support for Pod Templates, then this would provide a mechanism to provide complex Pod Security Context without needing to do extensive mapping from Config properties to Security Context.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] surahman edited a comment on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
surahman edited a comment on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-906540313
Hi @nicknezis, I am trying to get acquainted with the code-base and was wondering if this has been resolved yet? I am looking at the following files:
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java)
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java)\
[heron/spi/src/java/org/apache/heron/spi/common/Config.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/spi/src/java/org/apache/heron/spi/common/Config.java)
Tests @ [heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java)
I have `grep`'d the code base for `SecurityContext` but was unable to find anything, are you referring to the Kubernetes configurations for [`Security Context`](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)? I have located the [`Config.Builder`](https://heron.apache.org/api/java/org/apache/heron/spi/common/Config.Builder.html) in the [`org.apache.heron.spi.common`](https://heron.apache.org/api/java/org/apache/heron/spi/common/package-summary.html) package. From the `Config.Builder` I will need to use the `put` method to add the Key-Value pairs for `<SecurityContext, Supplied Value>`?
I would appreciate any direction you can provide, this is my first ~hour or so rummaging through the code-base.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] nicknezis commented on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
nicknezis commented on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-908593378
@surahman This has not been resolved yet. Although I believe Kubernetes support for Pod Security Policy may be deprecated and evolving to something else. I believe the Security Context is still worth supporting. I have had some further thoughts on this topic when comparing how other analytic frameworks have solved it.
I've created a [Project board](https://github.com/apache/incubator-heron/projects/5) to capture various Kubernetes Scheduler improvements I think we should make. Many of the designs mirror what the Apache Spark Kubernetes scheduler does. One of the tickets would solve this SecurityContext issue. Specifically the Pod Template feature in [this issue](https://github.com/apache/incubator-heron/issues/3707). If we provide support for Pod Templates, then this would provide a mechanism to provide complex Pod Security Context without needing to do extensive mapping from Config properties to Security Context.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] surahman edited a comment on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
surahman edited a comment on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-906540313
Hi @nicknezis, I am trying to get acquainted with the code-base and was wondering if this has been resolved yet? I am looking at the following files:
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java)
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java)\
[heron/spi/src/java/org/apache/heron/spi/common/Config.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/spi/src/java/org/apache/heron/spi/common/Config.java)
Tests @ [heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java)
I have `grep`'d the code base for `SecurityContext` but was unable to find anything, are you referring to the Kubernetes configurations for [`Security Context`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core)? I have located the [`Config.Builder`](https://heron.apache.org/api/java/org/apache/heron/spi/common/Config.Builder.html) in the [`org.apache.heron.spi.common`](https://heron.apache.org/api/java/org/apache/heron/spi/common/package-summary.html) package. From the `Config.Builder` I will need to use the `put` method to add the Key-Value pairs for `<SecurityContext Field, Value>` under the `spec::containers::securityContext` YAML entry?
I would appreciate any direction you can provide, this is my first ~hour or so rummaging through the code-base.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] surahman commented on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
surahman commented on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-906540313
Hi @nicknezis, I am trying to get acquainted with the code-base and was wondering if this has been resolved yet? I am looking at the following files:
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java)
[heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java)
Tests @ [heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java](https://github.com/apache/incubator-heron/blob/4d9a7de106d6f1f6de6a96f996735c5fc636011b/heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java)
I have `grep`'d the code base for `SecurityContext` but was unable to find anything. I would appreciate any direction you can provide, this is my first ~hour or so rummaging through the code-base.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-heron] joshfischer1108 commented on issue #3474: Kubernetes scheduler code should support setting a SecurityContext
Posted by GitBox <gi...@apache.org>.
joshfischer1108 commented on issue #3474:
URL: https://github.com/apache/incubator-heron/issues/3474#issuecomment-908350348
@nicknezis Did you see this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@heron.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org