From 7b6cb54448f0ed57ab6902a2b16ee6f30dd5950b Mon Sep 17 00:00:00 2001 From: Ketan Umare <16888709+kumare3@users.noreply.github.com> Date: Tue, 18 Jan 2022 21:42:58 -0800 Subject: [PATCH] #minor Enable hostnetworking globablly for all launched pods (#234) * Enable hostnetworking globablly for all launched pods Signed-off-by: Ketan Umare * fixing tests Signed-off-by: Ketan Umare * Goimports Signed-off-by: Ketan Umare * goimports Signed-off-by: Ketan Umare --- go/tasks/config_load_test.go | 2 ++ .../pluginmachinery/flytek8s/config/config.go | 5 ++++ .../pluginmachinery/flytek8s/pod_helper.go | 3 ++ .../flytek8s/pod_helper_test.go | 30 +++++++++++++++++++ go/tasks/testdata/config.yaml | 1 + 5 files changed, 41 insertions(+) diff --git a/go/tasks/config_load_test.go b/go/tasks/config_load_test.go index b827cda1cd..5cbad71221 100755 --- a/go/tasks/config_load_test.go +++ b/go/tasks/config_load_test.go @@ -87,6 +87,8 @@ func TestLoadConfig(t *testing.T) { assert.NotNil(t, k8sConfig.DefaultSecurityContext) assert.NotNil(t, k8sConfig.DefaultSecurityContext.AllowPrivilegeEscalation) assert.False(t, *k8sConfig.DefaultSecurityContext.AllowPrivilegeEscalation) + assert.NotNil(t, k8sConfig.EnableHostNetworkingPod) + assert.True(t, *k8sConfig.EnableHostNetworkingPod) }) t.Run("logs-config-test", func(t *testing.T) { diff --git a/go/tasks/pluginmachinery/flytek8s/config/config.go b/go/tasks/pluginmachinery/flytek8s/config/config.go index 827db81cb2..e53fad4736 100755 --- a/go/tasks/pluginmachinery/flytek8s/config/config.go +++ b/go/tasks/pluginmachinery/flytek8s/config/config.go @@ -139,6 +139,11 @@ type K8sPluginConfig struct { // DefaultSecurityContext provides a default container security context that should be applied for the primary container launched and created by FlytePropeller. This may not be applicable to all plugins. For // // downstream plugins - i.e. TensorflowOperators may not support setting this, but Spark does. DefaultSecurityContext *v1.SecurityContext `json:"default-security-context" pflag:"-,Optionally specify a default security context that should be applied to every container launched/created by FlytePropeller. This will not be applied to plugins that do not support it or to user supplied containers in pod tasks."` + + // EnableHostNetworkingPod is a binary switch to enable `hostNetwork: true` for all pods launched by Flyte. + // Refer to - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces. + // As a follow up, the default pod configurations will now be adjusted using podTemplates per namespace + EnableHostNetworkingPod *bool `json:"enable-host-networking-pod" pflag:"-,If true, will schedule all pods with hostNetwork: true."` } // FlyteCoPilotConfig specifies configuration for the Flyte CoPilot system. FlyteCoPilot, allows running flytekit-less containers diff --git a/go/tasks/pluginmachinery/flytek8s/pod_helper.go b/go/tasks/pluginmachinery/flytek8s/pod_helper.go index 8841cdfe22..039e75fbaa 100755 --- a/go/tasks/pluginmachinery/flytek8s/pod_helper.go +++ b/go/tasks/pluginmachinery/flytek8s/pod_helper.go @@ -91,6 +91,9 @@ func UpdatePodWithInterruptibleFlag(taskExecutionMetadata pluginsCore.TaskExecut if podSpec.SecurityContext == nil && config.GetK8sPluginConfig().DefaultPodSecurityContext != nil { podSpec.SecurityContext = config.GetK8sPluginConfig().DefaultPodSecurityContext.DeepCopy() } + if config.GetK8sPluginConfig().EnableHostNetworkingPod != nil { + podSpec.HostNetwork = *config.GetK8sPluginConfig().EnableHostNetworkingPod + } ApplyInterruptibleNodeAffinity(isInterruptible, podSpec) } diff --git a/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go b/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go index cca1f3a6ae..ee4b8e142a 100755 --- a/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go +++ b/go/tasks/pluginmachinery/flytek8s/pod_helper_test.go @@ -494,6 +494,36 @@ func TestToK8sPod(t *testing.T) { assert.NotNil(t, p.SecurityContext) assert.Equal(t, *p.SecurityContext.RunAsGroup, v) }) + + t.Run("enableHostNetwork", func(t *testing.T) { + enabled := true + assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{ + EnableHostNetworkingPod: &enabled, + })) + x := dummyExecContext(&v1.ResourceRequirements{}) + p, err := ToK8sPodSpec(ctx, x) + assert.NoError(t, err) + assert.True(t, p.HostNetwork) + }) + + t.Run("explicitDisableHostNetwork", func(t *testing.T) { + enabled := false + assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{ + EnableHostNetworkingPod: &enabled, + })) + x := dummyExecContext(&v1.ResourceRequirements{}) + p, err := ToK8sPodSpec(ctx, x) + assert.NoError(t, err) + assert.False(t, p.HostNetwork) + }) + + t.Run("skipSettingHostNetwork", func(t *testing.T) { + assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{})) + x := dummyExecContext(&v1.ResourceRequirements{}) + p, err := ToK8sPodSpec(ctx, x) + assert.NoError(t, err) + assert.False(t, p.HostNetwork) + }) } func TestDemystifyPending(t *testing.T) { diff --git a/go/tasks/testdata/config.yaml b/go/tasks/testdata/config.yaml index fdc3266410..208e4df49e 100755 --- a/go/tasks/testdata/config.yaml +++ b/go/tasks/testdata/config.yaml @@ -56,6 +56,7 @@ plugins: fsGroup: 2000 default-security-context: allowPrivilegeEscalation: false + enable-host-networking-pod: true # Spark Plugin configuration spark: spark-config-default: