Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use privilege container with Volcano? #409

Closed
goversion opened this issue Aug 8, 2019 · 5 comments · Fixed by #411
Closed

How to use privilege container with Volcano? #409

goversion opened this issue Aug 8, 2019 · 5 comments · Fixed by #411
Assignees
@hzxuzhonghu
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@goversion
Copy link

goversion commented Aug 8, 2019
edited
Loading

What happened:

I need to use privilege level in a volcano job's yaml file, which is to add “privileged: true” to the yaml file.

When creating the job, the following error will be reported.

$ kubectl create -f abc.yaml
Error from server: error when creating "abc.yaml":
admission webhook "validatejob.volcano.sh" denied the request:
spec.task[0].template.spec.containers[0].securityContext.privileged:
Forbidden: disallowed by cluster policy.
spec.task[1].template.spec.containers[0].securityContext.privileged:
Forbidden: disallowed by cluster policy.

Note that kube-apiserver and kubelet have been set "privilege=true".

Enter the following command to delete the settings related to volcano admission. I can avoid the above error when creating the job, then the job can use privilege level.

$ kubectl delete validatingwebhookconfiguration volcano-admission-service-validate-job

However, the problem is that volcano admission does not verify the fields in the yaml file at all, which is not good.

What better solution does the community have, please? Thanks!

What you expected to happen:
I would like to add “privileged: true” to a volcano job's yaml file, this is not allowed at present.

How to reproduce it (as minimally and precisely as possible):

  1. enable kube-apiserver with --allow-privileged=true ...
  2. enable kubelet with --allow-privileged=true ...
  3. Create a sample volcano job yaml file and add "privileged: true" field to the yaml. then create the job with command "kubectl apply".

Environment
Volcano Version : The latest version
kubernetes version : 1.14.3
@hzxuzhonghu
Copy link
Collaborator

@goversion Thanks for reporting, it seems a bug, which we did not consider before.

@hzxuzhonghu hzxuzhonghu added the kind/bug Categorizes issue or PR as related to a bug. label Aug 8, 2019
@k82cn
Copy link
Member

k82cn commented Aug 12, 2019

/assign @hzxuzhonghu , would you help on that?

@hzxuzhonghu
Copy link
Collaborator

/assign

@hzxuzhonghu hzxuzhonghu mentioned this issue Aug 12, 2019
Merged
@hzxuzhonghu
Copy link
Collaborator

Given to the validation in-consistent in volcano and kube-apiserver. I would suggest introducing max-retry to volcano, so we can prevent endless retry.

@hzxuzhonghu
Copy link
Collaborator

Maybe i should file a new issue.

@hzxuzhonghu hzxuzhonghu mentioned this issue Aug 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hzxuzhonghu hzxuzhonghu

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Skip verify volcano job container's Privileged mode hzxuzhonghu/volcano
3 participants
@hzxuzhonghu @k82cn @goversion