Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

Inject and Use values from Security Context #153

Merged
merged 5 commits into from
Mar 17, 2021
Merged

Inject and Use values from Security Context #153

merged 5 commits into from
Mar 17, 2021

Conversation

anandswaminathan
Copy link
Contributor

This change is related to deprecation on auth from Flyte and injecting SecurityContext.

  • Ensured Backward compatibility
  • Spark will use the serviceAccount from SecurityContext, if not default to "spark"
  • AWS Array array tasks will check the securityContext before defaulting to iam_role.

Type

  • Bug Fix
  • Feature
  • Plugin

@EngHabu @kumare3

kumare3
kumare3 reviewed Mar 2, 2021
View reviewed changes
Copy link
Contributor

@kumare3 kumare3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you have missed out on sagemaker

go/tasks/plugins/array/awsbatch/job_definition.go Outdated
@@ -50,7 +50,12 @@ func EnsureJobDefinition(ctx context.Context, tCtx pluginCore.TaskExecutionConte
return nil, errors.Errorf(pluginErrors.BadTaskSpecification, "Tasktemplate does not contain a container image.")
}

role := awsUtils.GetRole(ctx, cfg.RoleAnnotationKey, tCtx.TaskExecutionMetadata().GetAnnotations())
role := awsUtils.GetRole(ctx, cfg.RoleSecurityContextKey, tCtx.TaskExecutionMetadata().GetSecurityContext())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we make this into a protobuf enum - cfg.RoleSecurityContextKey

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not inclined for this one. But for serviceAccountName may be? What do you think ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not for Role - AWS Batch, Sagemaker, Athena etc may all need a role, then how do we make it consistent

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

go/tasks/plugins/k8s/container/container.go Outdated Show resolved Hide resolved
@anandswaminathan
Copy link
Contributor Author

PTAL @akhurana001 This is a backward incompatible for SPARK - right fix.

If someone passes the ServiceAccount. Spark plugin has to respect it.

@akhurana001
Copy link
Contributor

akhurana001 commented Mar 3, 2021
edited
Loading

PTAL @akhurana001 This is a backward incompatible for SPARK - right fix.

If someone passes the ServiceAccount. Spark plugin has to respect it.

I am still wrapping my head around why users of the platform need to know about service accounts or K8s concepts.

How can users roll-out this change safely if this is backward incompatible ? Can we default to spark if not set ?

@anandswaminathan
Copy link
Contributor Author

@akhurana001 Let me clarify

  • So it's backward compatible for most of folks. Default is still Spark.
  • Only affects folks who are using ServiceAccount field in flyteidl, but still expect default spark to be used will be affected.
    cc @kumare3

@codecov
Copy link

codecov bot commented Mar 11, 2021
edited
Loading

Codecov Report

Merging #153 (2aa7875) into master (4f22a59) will increase coverage by 0.03%.
The diff coverage is 88.46%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #153      +/-   ##
==========================================
+ Coverage   60.33%   60.37%   +0.03%     
==========================================
  Files         130      130              
  Lines        7027     7044      +17     
==========================================
+ Hits         4240     4253      +13     
- Misses       2362     2364       +2     
- Partials      425      427       +2
Flag Coverage Δ
unittests 60.37% <88.46%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
go/tasks/plugins/array/awsbatch/config/config.go 0.00% <ø> (ø)
...sks/plugins/k8s/sagemaker/hyperparameter_tuning.go 60.69% <50.00%> (-1.16%) ⬇️
go/tasks/plugins/k8s/spark/spark.go 76.61% <60.00%> (-0.53%) ⬇️
go/tasks/pluginmachinery/flytek8s/utils.go 90.00% <100.00%> (+23.33%) ⬆️
go/tasks/plugins/array/awsbatch/job_definition.go 64.70% <100.00%> (ø)
go/tasks/plugins/k8s/container/container.go 78.94% <100.00%> (ø)
go/tasks/plugins/k8s/sagemaker/builtin_training.go 71.91% <100.00%> (ø)
...o/tasks/plugins/k8s/sagemaker/plugin_test_utils.go 95.27% <100.00%> (+0.11%) ⬆️
go/tasks/plugins/k8s/sidecar/sidecar.go 76.78% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4f22a59...2aa7875. Read the comment docs.

akhurana001
akhurana001 reviewed Mar 11, 2021
View reviewed changes
go/tasks/plugins/k8s/sagemaker/builtin_training.go Outdated
role := awsUtils.GetRole(ctx, cfg.RoleAnnotationKey, taskCtx.TaskExecutionMetadata().GetAnnotations())
if role == "" {
role := awsUtils.GetRoleFromSecurityContext(taskCtx.TaskExecutionMetadata().GetSecurityContext())

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: helper method since looks like this is being repetitive ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

EngHabu
EngHabu reviewed Mar 11, 2021
View reviewed changes
go.sum Outdated Show resolved Hide resolved
go/tasks/plugins/k8s/sagemaker/builtin_training.go Outdated
role := awsUtils.GetRoleFromSecurityContext(taskCtx.TaskExecutionMetadata().GetSecurityContext())

// Continue this for backward compatibility
if len(role) == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably encapsulate the backward compat code in one place... so we can deprecate it easier and avoid new plugins having to know to do that...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool.

@akhurana001
Copy link
Contributor

LGTM , one minor comment. Also can we test this if not already :)

@anandswaminathan
comments
17c1f2e 
Signed-off-by: Anand Swaminathan <[email protected]>
@anandswaminathan
code-cov
d99df4a 
Signed-off-by: Anand Swaminathan <[email protected]>
EngHabu
EngHabu previously approved these changes Mar 11, 2021
View reviewed changes
@anandswaminathan
gix
2aa7875 
Signed-off-by: Anand Swaminathan <[email protected]>
@anandswaminathan anandswaminathan merged commit d0a6ee2 into master Mar 17, 2021
milton0825 pushed a commit to milton0825/flyteplugins that referenced this pull request May 25, 2021
@anandswaminathan @milton0825
Inject and Use values from Security Context (flyteorg#153)
30316ac 
* Inject and Use values from Security Context

Signed-off-by: Anand Swaminathan <[email protected]>
Signed-off-by: Chao-Han Tsai <[email protected]>
eapolinario pushed a commit that referenced this pull request Sep 6, 2023
@anandswaminathan
Inject and Use values from Security Context (#153)
93ed208 
* Inject and Use values from Security Context

Signed-off-by: Anand Swaminathan <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@akhurana001 akhurana001 akhurana001 left review comments

@kumare3 kumare3 kumare3 left review comments

@EngHabu EngHabu EngHabu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anandswaminathan @akhurana001 @EngHabu @kumare3