[
https://issues.apache.org/jira/browse/YUNIKORN-966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542084#comment-17542084
]
Craig Condit commented on YUNIKORN-966:
---------------------------------------
I think if there is a conflict between the spark defined user and the yunikorn
user, the yunikorn user needs to take precedence. The reason for this is that
currently, it's possible to create an admission controller which forcibly sets
the username based on security policy. If we allow this to be overridden by
Spark, then that creates a security hole. I will update the PR review with this
as well.
> Retrieve the username from the SparkApp CRD
> -------------------------------------------
>
> Key: YUNIKORN-966
> URL: https://issues.apache.org/jira/browse/YUNIKORN-966
> Project: Apache YuniKorn
> Issue Type: Sub-task
> Components: shim - kubernetes
> Reporter: Chaoran Yu
> Assignee: ted
> Priority: Minor
> Labels: pull-request-available
>
> Currently the shim only looks at the pods to get the value of the label
> yunikorn.apache.org/username. When the Spark operator plugin is enabled, we
> should look at the SparkApp CRD for the label.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org
