search

DUNE-DAQ / nanorc

2 stars 2 forks source link

PodSecurity settings and egresses #231

Closed alessandrothea closed 8 months ago

alessandrothea commented 8 months ago

The PR adds privileged pod security labels to the session namespace, to enable running priviledged containers even if not allowed by cluster security defaults.

                "labels": {
                    "pod-security.kubernetes.io/enforce":"privileged",
                    "pod-security.kubernetes.io/enforce-version":"latest",
                    "pod-security.kubernetes.io/warn":"privileged",
                    "pod-security.kubernetes.io/warn-version":"latest",
                    "pod-security.kubernetes.io/audit":"privileged",
                    "pod-security.kubernetes.io/audit-version":"latest"
                }

Also, the PR adds the experimental support for custom egress endpoints, through the boot.conf external_services list

'external_services': {
   'monkafka': {
      'host': 'monkafka.cern.ch'
      'port': 30092
   }
}
plasorak commented 8 months ago

What happens if 2 sessions are run together? Would external_services step on each other?

plasorak commented 8 months ago

Nevermind, it lives in the partition, so should be fine

alessandrothea commented 8 months ago

What happens if 2 sessions are run together? Would external_services step on each other? No, they are namespaced