IsaiahStapleton
commented
2 months ago We are running into many issues with the gatekeeper policies. When applying them it leads to issues with pod creation as well as running scripts/cronjobs such as the nb-culler script we use to delete pods that have been running for a certain amount of time. I do not think we should be using gatekeeper for validation. I will look into creating a webhook using python and flask that way we have more control over what the webhook is actually doing.
We need to create a gatekeeper policy to validate pods (such as rejecting pods being created that don’t conform to what students should be running: class image, xsmall size, no gpu). We will need to create this policy per class, so that students are only running what they are supposed to for their class.
This issue depends on: https://github.com/nerc-project/operations/issues/637 because gatekeeper needs a way to differentiate which users belong to which class in rhods-notebooks namespace.