[feature request] set the init container of volcano job as privileged mode

[zrss]

volcano/pkg/webhooks/admission/jobs/validate/admit_job.go

Lines 278 to 284 in db2936f

	// Skip verify container SecurityContex.Privileged as it depends on
	// the kube-apiserver `allow-privileged` flag.
	for i, container := range coreTemplateSpec.Spec.Containers {
	if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
	coreTemplateSpec.Spec.Containers[i].SecurityContext.Privileged = nil
	}
	}

obviously, volcano forgets to cover the init container case ... and once the init container set the privileged field, it turns out

Error from server: error when creating "vj-test.yaml": admission webhook "validatejob.volcano.sh" denied the request: spec.task[0].template.spec.initContainers[0].securityContext.privileged: Forbidden: disallowed by cluster policy.

[k82cn]

/kind bug

[wpeng102]

/kind bug

I am not sure if the original logic to Skip verify container SecurityContex.Privileged is appropriate. The root cause is kube-apiserver configured --allow-privileged=true and kube-apiserver will use this config to init capabilities. But the volcano does not know the kube-apiserver configuration.

volcano/vendor/k8s.io/kubernetes/pkg/apis/core/validation/validation.go

Lines 6150 to 6154 in db2936f

	if sc.Privileged != nil {
	if *sc.Privileged && !capabilities.Get().AllowPrivileged {
	allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by cluster policy"))
	}
	}

If volcano use the same logic to valid pod, it maybe mismache by kube-apiserver.

volcano/pkg/webhooks/admission/jobs/validate/admit_job.go

Line 295 in db2936f

if allErrs := k8scorevalid.ValidatePodTemplate(&corePodTemplate, opts); len(allErrs) > 0 {

So, maybe we need introduce allow-privileged flag for volcano webhook, which need guide users to config same value as kube-apiserver.

[k82cn]

IMO, we just need to skip this check in Volcano, and deligate this to kube-apiserver :)