Amit Sharma created YUNIKORN-649:
------------------------------------
Summary: Require improved methodology for determining k8s user
Key: YUNIKORN-649
URL: https://issues.apache.org/jira/browse/YUNIKORN-649
Project: Apache YuniKorn
Issue Type: Improvement
Components: shim - kubernetes
Reporter: Amit Sharma
The Kubernetes metadata does not carry user information by design. This can be
referred here.
[https://kubernetes.io/docs/reference/access-authn-authz/authentication/]
The only thing close to any identity is a ServiceAccount. However, this is not
the ideal way of looking at identities as there is no authentication mechanism
for the service account directly. It relies on the authentication mechanism
deployed on the cluster. The cluster authentication mechanism varies from
deployment to deployment.
There are 2 possible ways of doing this.
1) One generic solution can be to modify the source of the user from
ServiceAccount to a Label/Annotation.
2) Extending point 1, instead of changing from service account to
label/annotation, it can be a configurable field which defaults to
Label/Annotation.
While point 2 provides more user flexibility, it also reduces the structure or
clear path that Yunikorn can follow in determining a user.
Since Yunikorn is expected to be primarily deployed by owners of a Kubernetes
platform rather than individual applications, we can share a structure using
point 1 as a solution.
Please share your thoughts.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org
