Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip verify volcano job container's Privileged mode #411

Merged
merged 2 commits into from
Sep 5, 2019

Conversation

hzxuzhonghu
Copy link
Collaborator

fixes: #409

@volcano-sh-bot volcano-sh-bot requested review from hex108 and k82cn August 12, 2019 04:25
@volcano-sh-bot volcano-sh-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 12, 2019
@TravisBuddy
Copy link

Travis tests have failed

Hey @hzxuzhonghu,
Please read the following log in order to understand the failure reason.
It'll be awesome if you fix what's wrong and commit the changes.

TravisBuddy Request Identifier: fd89a9e0-bcb9-11e9-af47-41b3464977ce

@TravisBuddy
Copy link

Travis tests have failed

Hey @hzxuzhonghu,
Please read the following log in order to understand the failure reason.
It'll be awesome if you fix what's wrong and commit the changes.

TravisBuddy Request Identifier: 2da36520-bcbb-11e9-af47-41b3464977ce

// Skip verify container SecurityContex.Privileged
for i, container := range coreTemplateSpec.Spec.Containers {
if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
coreTemplateSpec.Spec.Containers[i].SecurityContext.Privileged = nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did we validate privileged, ValidatePodTemplate? BTW, we should enable/disable this validation according to --allow-privileged of kube-apiserver.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Just leave the validation to apiserver, as we may not know the cluster flag.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Just leave the validation to apiserver, as we may not know the cluster flag.

Better to add this into code notes.

Copy link
Member

@k82cn k82cn Aug 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any other validation dependent on api-server parameter? This's a kind of hack :(

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me have an investigate

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should have no other fields. But will ignore some fields validation which depends on the feature gate, like CustomPodDNS.

I think this still does not matter as #412 in.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... so how to identify those issues before user?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hzxuzhonghu , let's get this merged firstly, and open an issue on how to identify those issues before user;

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest introducing k8s native ut cases into volcano, i think they should already cover corner cases.

@k82cn
Copy link
Member

k82cn commented Sep 5, 2019

/lgtm
/approve

@volcano-sh-bot volcano-sh-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 5, 2019
@volcano-sh-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu, k82cn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@volcano-sh-bot volcano-sh-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 5, 2019
@volcano-sh-bot volcano-sh-bot merged commit 2b7fbe2 into volcano-sh:master Sep 5, 2019
@hzxuzhonghu hzxuzhonghu deleted the admission branch September 5, 2019 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How to use privilege container with Volcano?
5 participants