Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
1.2.0
Description
YUNIKORN-1338 added support in the admission controller for mutating workload objects other than Pods for the purposes of user tracking (and eventual enforcement). This functionality works as designed.
However, in the case where a ReplicaSet is managed by a Deployment, the changes to the ReplicaSet pod template trigger the associated Deployment to recreate the ReplicaSet without the changes, which the admission controller then updates, triggering another ReplicaSet, etc. ad infinitum.
The workaround for now is to set the following in the yunikorn-configs ConfigMap, which disables the functionality:
admissionController.accessControl.bypassAuth: "true"
The real fix needs to take into account any ownerReference in a workload which points to another workload type that we manage. This definitely includes ReplicaSet -> Deployment, but could include other workload relationships (more investigation needed on this).
For ReplicaSets, if the ownerReference is set to a Deployment, it should be sufficient to check for that and assume that the Deployment itself has passed in the appropriate user information due to the admission controller having mutated the Deployment.
Attachments
Issue Links
- is caused by
-
YUNIKORN-1338 [admission] support different kind of workloads other than pods
-
- Closed
-
- links to