Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create mutating webhook to assign a class label to the pods of users in specific classes running in rhods-notebooks namespace #637

Closed
IsaiahStapleton opened this issue Jul 3, 2024 · 3 comments · Fixed by OCP-on-NERC/BU-RHOAI#12
Closed

Create mutating webhook to assign a class label to the pods of users in specific classes running in rhods-notebooks namespace #637

IsaiahStapleton opened this issue Jul 3, 2024 · 3 comments · Fixed by OCP-on-NERC/BU-RHOAI#12
Assignees
@IsaiahStapleton

Comments

@IsaiahStapleton
Copy link

IsaiahStapleton commented Jul 3, 2024
edited
Loading

We currently have a group-sync cronjob which adds users to a specific group so we can differentiate which users belong to which class. The issue is that we are now trying to use gatekeeper policies to validate pods (such as rejecting pods being created that don’t conform to what students should be running: class image, xsmall size, no gpu), however gatekeeper has no way of knowing which users belong to which groups (class) because they are only able to read the information contained within the yaml for the pod. We need a way to differentiate users in the rhods-notebooks namespace in a way that gatekeeper can understand, because there will be multiple classes running in rhods-notebooks namespace that will have different image, resource, and gpu requirements. So in order to solve this issue, a cronjob needs to be created that will assign a label to the pods running in rhods-notebooks namespace that tells us which class the pod belongs to. It is of value of us to use these gatekeeper policies for validation rather than a script/cronjob because gatekeeper is able to output a message to the user for why their pod creation was denied.
@IsaiahStapleton IsaiahStapleton self-assigned this Jul 3, 2024
@IsaiahStapleton IsaiahStapleton mentioned this issue Jul 3, 2024
Closed
@msdisme
Copy link

msdisme commented Jul 17, 2024

@IsaiahStapleton assuming we need this by mid august to be ready for classes. Do you need any more details to move form New Issues to Backlog?

@IsaiahStapleton
Copy link
Author

@msdisme No, there is no more details needed. I am getting started to work on this issue this week and I don't expect it to take me more than a week or two.

@IsaiahStapleton IsaiahStapleton mentioned this issue Jul 26, 2024
Merged
@IsaiahStapleton IsaiahStapleton changed the title Create cronjob to assign a class label to the pods of users in specific classes running in rhods-notebooks namespace Create mutating webhook to assign a class label to the pods of users in specific classes running in rhods-notebooks namespace Jul 29, 2024
@IsaiahStapleton
Copy link
Author

After creating the script to add class labels to pods. I realized that this solution won't work with gatekeeper because when running script, it adds labels to pods AFTER they are created. Gatekeeper intercepts the request for pods and DURING creation can validate these pods. But since the labels are being added after, it is not working as intended.

What I am instead going to do is try to create a Mutating Admission Controller Webhook so that during creation this label is added and then gatekeeper can validate the pods as intended.

@IsaiahStapleton IsaiahStapleton mentioned this issue Aug 19, 2024
Merged
This was referenced Jan 15, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IsaiahStapleton IsaiahStapleton

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add assign-class-label mutating webhook IsaiahStapleton/BU-RHOAI
2 participants
@msdisme @IsaiahStapleton