Comments (10)
Monokaix
commented on July 24, 2024
1、volcano admission need generate secrets in a init job, and I will fire a pr to shrink permissions.
2、volcano controller's permissions of list/watch secrets have been removed in latest version.
3、update permission is necessary for volcano controller because it need update pod's podgroup, etc.
from volcano.
kaaass
commented on July 24, 2024
@Monokaix I tried to find all update/patch relate operation to pods. Maybe we only need the patch verb instead of update verb?
volcano/pkg/scheduler/api/devices/nvidia/vgpu/utils.go
Lines 437 to 438 in fa0548f
from volcano.
lowang-bh
commented on July 24, 2024
similar issues : A potential risk in volcano that could lead to takeover of the cluster #3446
from volcano.
Monokaix
commented on July 24, 2024
@Monokaix I tried to find all update/patch relate operation to
pods. Maybe we only need thepatchverb instead ofupdateverb?volcano/pkg/scheduler/api/devices/nvidia/vgpu/utils.go
Lines 437 to 438 in fa0548f
After a deep insight, volcano scheduler called UpdateStatus method, which needs update verb role: )
from volcano.
Monokaix
commented on July 24, 2024
And volcano admission related permissions has been reduced in pr #3504
from volcano.
Monokaix
commented on July 24, 2024
@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
from volcano.
kaaass
commented on July 24, 2024
After a deep insight, volcano scheduler called
UpdateStatusmethod, which needs update verb role: )
@Monokaix Thank you for reply : )
UpdateStatus only requires permission to subresource pods/status (client-go source code). Subresource uses a separate permission grants (document).
@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
I'm happy to do that! Sadly I'm a little busy at the time. I'll give it a try if it is still unsolved maybe later this week : )
from volcano.
Monokaix
commented on July 24, 2024
After a deep insight, volcano scheduler called
UpdateStatusmethod, which needs update verb role: )@Monokaix Thank you for reply : )
UpdateStatusonly requires permission to subresourcepods/status(client-go source code). Subresource uses a separate permission grants (document).@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
I'm happy to do that! Sadly I'm a little busy at the time. I'll give it a try if it is still unsolved maybe later this week : )
That's ok.
from volcano.
Monokaix
commented on July 24, 2024
/close
from volcano.
volcano-sh-bot
commented on July 24, 2024
@Monokaix: Closing this issue.
In response to this:
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from volcano.
Related Issues (20)
- when using spark with volcano ,queue allocated exceeds capability HOT 13
- 如何查看正在pending的vcjob的优先级顺序,比如有A,B,C三个任务正在pending,怎么看哪个任务优先级最高会先被调度 HOT 1
- Occasionally Failed E2E Test Cases for Claim
- In the rolling upgrade scenario of multiple deployments, there is a possibility that the corresponding pod group is not created for ReplicaSet. HOT 2
- upgrade kube-state-metrics version to v1.9.8/v2.12.0 from v1.9.7 HOT 3
- volcano 案例demo无法调度 HOT 5
- Preemption between the jobs in the same queue is not work well when enable gang plugin HOT 7
- grafana监控无法显示Dashboard大部分指标 HOT 7
- Optimize the --version command HOT 1
- reschedule not work HOT 2
- --node-selector config doesn't consider for csinode HOT 2
- Support Hierarchical Queue on Capacity Plugin
- Adjustment of Initialization for Volcano Controllers Module HOT 5
- Why isn't there a job level preemption when gang and priority is enabled HOT 1
- Enable OpenSSF Scorecard to enhance security practices across the project HOT 1
- The volcano controller may have memory leak issues in large-scale clusters HOT 4
- Pod are repeatedly created and deleted
- Garbage Collector is supposed to clean up Aborted volcanojobs HOT 7
- volcano vgpu metrics not update properly HOT 6
- MPI Job in Volcano gets Terminated HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volcano.