#minor Enable hostnetworking globablly for all launched pods (flyteor…

…g#234) * Enable hostnetworking globablly for all launched pods Signed-off-by: Ketan Umare <[email protected]> * fixing tests Signed-off-by: Ketan Umare <[email protected]> * Goimports Signed-off-by: Ketan Umare <[email protected]> * goimports Signed-off-by: Ketan Umare <[email protected]>
eapolinario · Jan 19, 2022 · 7b6cb54 · 7b6cb54
1 parent 5582390
commit 7b6cb54
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 0 deletions.
diff --git a/go/tasks/config_load_test.go b/go/tasks/config_load_test.go
@@ -87,6 +87,8 @@ func TestLoadConfig(t *testing.T) {
 		assert.NotNil(t, k8sConfig.DefaultSecurityContext)
 		assert.NotNil(t, k8sConfig.DefaultSecurityContext.AllowPrivilegeEscalation)
 		assert.False(t, *k8sConfig.DefaultSecurityContext.AllowPrivilegeEscalation)
+		assert.NotNil(t, k8sConfig.EnableHostNetworkingPod)
+		assert.True(t, *k8sConfig.EnableHostNetworkingPod)
 	})
 
 	t.Run("logs-config-test", func(t *testing.T) {

diff --git a/go/tasks/pluginmachinery/flytek8s/config/config.go b/go/tasks/pluginmachinery/flytek8s/config/config.go
@@ -139,6 +139,11 @@ type K8sPluginConfig struct {
 	// DefaultSecurityContext provides a default container security context that should be applied for the primary container launched and created by FlytePropeller. This may not be applicable to all plugins. For
 	//	// downstream plugins - i.e. TensorflowOperators may not support setting this, but Spark does.
 	DefaultSecurityContext *v1.SecurityContext `json:"default-security-context" pflag:"-,Optionally specify a default security context that should be applied to every container launched/created by FlytePropeller. This will not be applied to plugins that do not support it or to user supplied containers in pod tasks."`
+
+	// EnableHostNetworkingPod is a binary switch to enable `hostNetwork: true` for all pods launched by Flyte.
+	// Refer to - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.
+	// As a follow up, the default pod configurations will now be adjusted using podTemplates per namespace
+	EnableHostNetworkingPod *bool `json:"enable-host-networking-pod" pflag:"-,If true, will schedule all pods with hostNetwork: true."`
 }
 
 // FlyteCoPilotConfig specifies configuration for the Flyte CoPilot system. FlyteCoPilot, allows running flytekit-less containers

diff --git a/go/tasks/pluginmachinery/flytek8s/pod_helper.go b/go/tasks/pluginmachinery/flytek8s/pod_helper.go
@@ -91,6 +91,9 @@ func UpdatePodWithInterruptibleFlag(taskExecutionMetadata pluginsCore.TaskExecut
 	if podSpec.SecurityContext == nil && config.GetK8sPluginConfig().DefaultPodSecurityContext != nil {
 		podSpec.SecurityContext = config.GetK8sPluginConfig().DefaultPodSecurityContext.DeepCopy()
 	}
+	if config.GetK8sPluginConfig().EnableHostNetworkingPod != nil {
+		podSpec.HostNetwork = *config.GetK8sPluginConfig().EnableHostNetworkingPod
+	}
 	ApplyInterruptibleNodeAffinity(isInterruptible, podSpec)
 }
 

diff --git a/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go b/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go
@@ -494,6 +494,36 @@ func TestToK8sPod(t *testing.T) {
 		assert.NotNil(t, p.SecurityContext)
 		assert.Equal(t, *p.SecurityContext.RunAsGroup, v)
 	})
+
+	t.Run("enableHostNetwork", func(t *testing.T) {
+		enabled := true
+		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{
+			EnableHostNetworkingPod: &enabled,
+		}))
+		x := dummyExecContext(&v1.ResourceRequirements{})
+		p, err := ToK8sPodSpec(ctx, x)
+		assert.NoError(t, err)
+		assert.True(t, p.HostNetwork)
+	})
+
+	t.Run("explicitDisableHostNetwork", func(t *testing.T) {
+		enabled := false
+		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{
+			EnableHostNetworkingPod: &enabled,
+		}))
+		x := dummyExecContext(&v1.ResourceRequirements{})
+		p, err := ToK8sPodSpec(ctx, x)
+		assert.NoError(t, err)
+		assert.False(t, p.HostNetwork)
+	})
+
+	t.Run("skipSettingHostNetwork", func(t *testing.T) {
+		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{}))
+		x := dummyExecContext(&v1.ResourceRequirements{})
+		p, err := ToK8sPodSpec(ctx, x)
+		assert.NoError(t, err)
+		assert.False(t, p.HostNetwork)
+	})
 }
 
 func TestDemystifyPending(t *testing.T) {

diff --git a/go/tasks/testdata/config.yaml b/go/tasks/testdata/config.yaml
@@ -56,6 +56,7 @@ plugins:
       fsGroup: 2000
     default-security-context:
       allowPrivilegeEscalation: false
+    enable-host-networking-pod: true
   # Spark Plugin configuration
   spark:
     spark-config-default: