search

apache / incubator-heron

Apache Heron (Incubating) is a realtime, distributed, fault-tolerant stream processing engine from Twitter
https://heron.apache.org/
Apache License 2.0
3.65k stars 597 forks source link

Kubernetes scheduler code should support setting a SecurityContext #3474

Open nicknezis opened 4 years ago

nicknezis commented 4 years ago

Kubernetes scheduler code should support setting a SecurityContext on an analytic's StatefulSet and Pod submissions to allow for pods to spin up in an environment with PodSecurityPolicy enabled.

surahman commented 3 years ago

Hi @nicknezis, I am trying to get acquainted with the code-base and was wondering if this has been resolved yet? I am looking at the following files:

heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesContext.java heron/schedulers/src/java/org/apache/heron/scheduler/kubernetes/KubernetesScheduler.java\ heron/spi/src/java/org/apache/heron/spi/common/Config.java

Tests @ heron/schedulers/tests/java/org/apache/heron/scheduler/kubernetes/KubernetesSchedulerTest.java

I have grep'd the code base for SecurityContext but was unable to find anything, are you referring to the Kubernetes configurations for Security Context? I have located the Config.Builder in the org.apache.heron.spi.common package. From the Config.Builder I will need to use the put method to add the Key-Value pairs for <SecurityContext Field, Value> under the spec::containers::securityContext YAML entry?

I would appreciate any direction you can provide, this is my first ~hour or so rummaging through the code-base.

joshfischer1108 commented 3 years ago

@nicknezis Did you see this?

nicknezis commented 3 years ago

@surahman This has not been resolved yet. Although I believe Kubernetes support for Pod Security Policy may be deprecated and evolving to something else. I believe the Security Context is still worth supporting. I have had some further thoughts on this topic when comparing how other analytic frameworks have solved it.

I've created a Project board to capture various Kubernetes Scheduler improvements I think we should make. Many of the designs mirror what the Apache Spark Kubernetes scheduler does. One of the tickets would solve this SecurityContext issue. Specifically the Pod Template feature in this issue. If we provide support for Pod Templates, then this would provide a mechanism to provide complex Pod Security Context without needing to do extensive mapping from Config properties to Security Context.