[ https://issues.apache.org/jira/browse/YARN-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16276159#comment-16276159 ]
Xuan Gong commented on YARN-7468: --------------------------------- Thanks, [~clayb] for creating the Jira. In general, we are trying to isolate network access for applications launched by users/groups. Ideally, YARN should be able to isolate both of egress and ingress network for launched containers. For the first step, we only focus on egress network isolation(We will look at ingress network in the future). For example, we only allow privileged users the ability to copy sensitive data out from a cluster. [~clayb] has described many interesting use-cases from user's perspective. From YARN's perspective, * YARN will not/should not enforce isolation itself - admins should use their tools like iptables * YARN should tag the traffic going out of YARN containers to enable DMZ like use-cases Here, we can follow in the footsteps of YARN-2140; using the same cgroups network classifier, we can filter the packets without having to use network namespaces. > Provide means for container network policy control > -------------------------------------------------- > > Key: YARN-7468 > URL: https://issues.apache.org/jira/browse/YARN-7468 > Project: Hadoop YARN > Issue Type: Improvement > Components: nodemanager > Reporter: Clay B. > Priority: Minor > > To prevent data exfiltration from a YARN cluster, it would be very helpful to > have "firewall" rules able to map to a user/queue's containers. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org