This is an automated email from the ASF dual-hosted git repository.
wilfreds pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/yunikorn-site.git
The following commit(s) were added to refs/heads/master by this push:
new b2e91403ca [YUNIKORN-3132] New security context settings for
placeholder pods (#546)
b2e91403ca is described below
commit b2e91403caf882db3471d86827478b28b5df819d
Author: Aditya Maheshwari <[email protected]>
AuthorDate: Thu Mar 12 11:32:20 2026 +1100
[YUNIKORN-3132] New security context settings for placeholder pods (#546)
Documentation for the settings:
- service.placeholderRunAsUser
- service.placeholderRunAsGroup
- service.placeholderFsGroup
Closes: #546
Signed-off-by: Wilfred Spiegelenburg <[email protected]>
---
docs/user_guide/service_config.md | 42 +++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
diff --git a/docs/user_guide/service_config.md
b/docs/user_guide/service_config.md
index 8a804ab595..8eb420c6c6 100644
--- a/docs/user_guide/service_config.md
+++ b/docs/user_guide/service_config.md
@@ -247,7 +247,7 @@ Sets the tolerations for the YuniKorn scheduler pod.
Default: `[]`
-Example:
+Example:
```yaml
tolerations:
- key: node-role.kubernetes.io/control-plane
@@ -262,7 +262,7 @@ Sets the tolerations for the YuniKorn admission controller
pod.
Default: `[]`
-Example:
+Example:
```yaml
admissionController:
tolerations:
@@ -540,6 +540,9 @@ data:
service.disableGangScheduling: "false"
service.enableConfigHotRefresh: "true"
service.placeholderImage: "registry.k8s.io/pause:3.7"
+ service.placeholderRunAsUser: 65535
+ service.placeholderRunAsGroup: 65535
+ service.placeholderFsGroup: 65535
service.instanceTypeNodeLabelKey: "node.kubernetes.io/instance-type"
health.checkInterval: "30s"
log.level: "INFO"
@@ -692,6 +695,33 @@ Example:
```yaml
service.placeholderImage: "registry.k8s.io/pause:3.6"
```
+#### service.placeholderRunAsUser
+**Optional** setting which sets the runtime user ID of the entrypoint process
of the placeholder container.
+
+Default: If value not provided, it will default to the user of the image you
set in `service.placeholderImage`. For the default placeholder image
(`registry.k8s.io/pause`) it is `65535`.
+
+Example:
+```yaml
+service.placeholderRunAsUser: 65535
+```
+#### service.placeholderRunAsGroup
+**Optional** setting which sets the runtime group ID of the entrypoint process
of the placeholder container.
+
+Default: If value not provided, it will default to the group of the image you
set in `service.placeholderImage`. For the default placeholder image
(`registry.k8s.io/pause`) it is `65535`.
+
+Example:
+```yaml
+service.placeholderRunAsGroup: 65535
+```
+#### service.placeholderFsGroup
+**Optional** setting which sets the runtime fsGroup ID of the entrypoint
process of the placeholder container.
+
+Default: If value not provided, it will *NOT* be set.
+
+Example:
+```yaml
+service.placeholderFsGroup: 65535
+```
#### service.instanceTypeNodeLabelKey
Sets the node label that will be used to determine the instance type of node.
@@ -810,9 +840,9 @@ log.level: "DEBUG"
#### log.\{subsystem\}.level
Sets the verbosity that YuniKorn subsystem will log at.
-Yunikorn allows fine-grained logging configuration in a hierarchical manner.
For example,
-setting an entry for `log.core.level` will configure all loggers that start
with `core.`
-(including `core.scheduler`, etc.) unless a more specific configuration is
present.
+Yunikorn allows fine-grained logging configuration in a hierarchical manner.
For example,
+setting an entry for `log.core.level` will configure all loggers that start
with `core.`
+(including `core.scheduler`, etc.) unless a more specific configuration is
present.
Each subsystem[^1] has its log level.
A change to this setting will be picked up without a restart of YuniKorn. The
available
@@ -935,7 +965,7 @@ Example:
admissionController.filtering.bypassNamespaces: "^kube-system$,^fluentd-"
```
-> **_NOTE :_**
+> **_NOTE :_**
> To simplify management, you can directly set the
> `yunikorn.apache.org/namespace.enableYunikorn` annotation on the namespace
> itself, regardless of whether it is specified in a regular expression. This
> annotation enables you to determine if the namespace should be managed by
> Yunikorn.
#### admissionController.filtering.labelNamespaces
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
