[YUNIKORN-1736] Add some examples for authz use cases (#590)
Closes: #590
Signed-off-by: Craig Condit <ccondit@apache.org>
diff --git a/.gitignore b/.gitignore
index 370f8db..bf0139b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,6 @@
coverage.txt
yunikorn-release
shellcheck
+*.csr
+*.crt
+*.key
diff --git a/deployments/examples/authz/README.md b/deployments/examples/authz/README.md
new file mode 100644
index 0000000..37ecf1a
--- /dev/null
+++ b/deployments/examples/authz/README.md
@@ -0,0 +1,182 @@
+<!--
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements. See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership. The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License. You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+-->
+
+# Authorization use cases
+
+Yunikorn offers a range of features, including advanced capabilities like hierarchical resource queues, access control lists, resource limits, preemption, priority, and placement rules for managing your cluster. This page presents a real-world scenario to demonstrate the practical application of these features.
+
+The following will be included in this article:
+
+- [Access control with ACL](./acl)
+- [Placement of different users](./placementRule)
+- [Limit usable resources on a queue level](./resourceLimit)
+- [Preemption and priority scheduling with fencing](./priority)
+
+## Prerequisites
+
+Before configuring yunikorn-config, we need to create users using [Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/) and [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) from Kubernetes.
+
+To create the necessary users for the examples, Please use [./create-user.sh](./k8s-api-access/create-user.sh) to create a user.
+
+After the user is created, the pod can be obtained by the following command to confirm the creation is successful:
+
+```yaml
+kubectl --context=sue-context get pod
+```
+
+In our use cases, we frequently simulate different users deploying YAML files. To accomplish this, we utilize the `--context` command to select the appropriate user for each deployment:
+
+```yaml
+kubectl --context=sue-context apply -f ./acl/nginx-1.yaml
+```
+
+When you are done testing, you can run [./remove-user.sh](./k8s-api-access/remove-user.sh) to delete all users.
+
+## Access control with ACL
+
+In the [yunikorn-configs.yaml](./acl/yunikorn-configs.yaml), we utilize `adminacl` to restrict access to the queue to only authorized users.
+
+
+See the documentation on [User & Group Resolution](https://yunikorn.apache.org/docs/user_guide/usergroup_resolution) or [ACLs](https://yunikorn.apache.org/docs/user_guide/acls) for more information.
+
+```yaml
+queues:
+ - name: root
+ queues:
+ - name: system
+ adminacl: " admin"
+ - name: tenants
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ - name: group-b
+ adminacl: " group-b"
+```
+
+In the test case, users are given the option to specify the queue they want to use. The scheduler then checks if the user's application is permitted to be deployed to that queue.
+
+The following example illustrates this scenario, along with the expected test results:
+
+| user, group | Assign queue | result | YAML filename |
+|----------------------|----------------------|---------|-------------------------------|
+| sue, group-a | root.tenants.group-a | created | [nginx-1](./acl/nginx-1.yaml) |
+| sue, group-a | root.tenants.group-b | blocked | [nginx-1](./acl/nginx-1.yaml) |
+| kim, group-b | root.tenants.group-a | blocked | [nginx-2](./acl/nginx-2.yaml) |
+| kim, group-b | root.tenants.group-b | created | [nginx-2](./acl/nginx-2.yaml) |
+| anonymous, anonymous | root.tenants.group-a | blocked | [nginx-3](./acl/nginx-3.yaml) |
+| anonymous, anonymous | root.tenants.group-b | blocked | [nginx-3](./acl/nginx-3.yaml) |
+
+## Placement of different users
+
+In [yunikorn-configs.yaml](./placementRule/yunikorn-configs.yaml), we use `placementrules` to allow the scheduler to dynamically assign applications to a queue, and even create a new queue if needed.
+
+See the documentation on [App Placement Rules](https://yunikorn.apache.org/docs/user_guide/placement_rules) for more information.
+
+```yaml
+placementrules:
+ - name: provided
+ create: true
+ filter:
+ type: allow
+ users:
+ - admin
+ groups:
+ - admin
+ parent:
+ name: fixed
+ value: root.system
+```
+
+In the test case, the user doesn't need to specify the queue for their application. Instead, the scheduler will utilize the placement rules to assign the application to the appropriate queue. If needed, the scheduler will create new queues.
+
+The following example illustrates this scenario, along with the expected test results:
+
+| placement rule | user, group | provide queue | namespace | Expected to be placed on | YAML filename |
+|------------------------|--------------|---------------------------|-----------|---------------------------|------------------------------------------------------|
+| provided | admin, admin | root.system.high-priority | | root.system.high-priority | [nginx-admin.yaml](./placementRule/nginx-admin.yaml) |
+| provided | admin, admin | root.system.low-priority | | root.system.low-priority | [nginx-admin.yaml](./placementRule/nginx-admin.yaml) |
+| username | sue, group-a | | | root.tenants.group-a.sue | [nginx-sue.yaml](./placementRule/nginx-sue.yaml) |
+| tag (value: namespace) | kim, group-b | | dev | root.tenants.group-b.dev | [nginx-kim.yaml](./placementRule/nginx-kim.yaml) |
+| tag (value: namespace) | kim, group-b | | test | root.tenants.group-b.test | [nginx-kim.yaml](./placementRule/nginx-kim.yaml) |
+
+## Limit usable resources on a queue level
+
+In [yunikorn-configs.yaml](./resourceLimit/yunikorn-configs.yaml), we use `resources` to limit and reserve the amount of resources per queue.
+
+See the documentation on [Partition and Queue Configuration #Resources](https://yunikorn.apache.org/docs/user_guide/queue_config#resources) for more information.
+
+```yaml
+queues:
+- name: system
+ adminacl: " admin"
+ resources:
+ guaranteed:
+ {memory: 2G, vcore: 2}
+ max:
+ {memory: 6G, vcore: 6}
+```
+
+In the test case, users may request more resources than the queue allows, causing the scheduler to block applications that exceed the limits of each queue.
+
+The following example illustrates this scenario, along with the expected test results:
+
+| user, group | Resource Limits for Destination Queues | request resources for each replicas | replica | result | YAML filename |
+|--------------|----------------------------------------|-------------------------------------|---------|----------------------------------------------------------|------------------------------------------------------|
+| admin, admin | {memory: 6G, vcore: 6} | {memory: 512M, vcore: 250m} | 1 | run all replica | [nginx-admin.yaml](./resourceLimit/nginx-admin.yaml) |
+| sue, group-A | {memory: 2G, vcore: 4} | {memory: 512M, vcore: 500m} | 5 | run 3 replica (4 replica will exceed the resource limit) | [nginx-sue.yaml](./resourceLimit/nginx-sue.yaml) |
+
+## Preemption and priority scheduling with fencing
+
+In [yunikorn-configs.yaml](./resourceLimit/yunikorn-configs.yaml), we use `priority.offset` and `priority.policy` to configure the priority in a queue.
+
+See the documentation on [App & Queue Priorities](https://yunikorn.apache.org/docs/user_guide/priorities) for more information.
+
+```yaml
+- name: tenants
+ properties:
+ priority.policy: "fence"
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ properties:
+ priority.offset: "20"
+```
+
+In a resource-constrained environment, we will deploy applications to three queues simultaneously, each with a different priority. The scheduler will then deploy applications based on the priority of the queue.
+
+In the following tests, we run the environment with a node resource limit of `{memory:16GB, vcore:16}`. Note that results will vary based on the environment, and you can modify the YAML file we provide to achieve similar results.
+
+The following example illustrates this scenario, along with the expected test results:
+
+### case 1 -
+
+| queue | offset | # of deploy apps | # of apps accept by yunikorn | YAML filename |
+|-----------------------------|--------|------------------|------------------------------|---------------------------------------|
+| root.system.low-priority | 1000 | 8 | 8 | [system.yaml](./priority/system.yaml) |
+| root.system.normal-priority | 0 | 8 | 5 | [system.yaml](./priority/system.yaml) |
+| root.system.high-priority | -1000 | 8 | 0 | [system.yaml](./priority/system.yaml) |
+
+### case 2 -
+
+> **_NOTE:_** You will need to deploy all of the following YAML files simultaneously.
+
+| queue | offset | # of deploy apps | # of apps accept by yunikorn | YAML filename |
+|-----------------------------|-------------|------------------|------------------------------|-------------------------------------------------|
+| root.system.normal-priority | 0 (global) | 7 | 7 | [nginx-admin.yaml](./priority/nginx-admin.yaml) |
+| root.tenants.group-a | 20 (fenced) | 7 | 6 | [nginx-sue.yaml](./priority/nginx-sue.yaml) |
+| root.tenants.group-b | 5 (fenced) | 7 | 0 | [nginx-kim.yaml](./priority/nginx-kim.yaml) |
diff --git a/deployments/examples/authz/acl/nginx-1.yaml b/deployments/examples/authz/acl/nginx-1.yaml
new file mode 100644
index 0000000..20f6116
--- /dev/null
+++ b/deployments/examples/authz/acl/nginx-1.yaml
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-a
+ name: nginx-a
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-a
+ template:
+ metadata:
+ labels:
+ app: nginx-a
+ applicationId: nginx-a
+ queue: root.tenants.group-a
+ name: nginx-a
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-b
+ name: nginx-b
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-b
+ template:
+ metadata:
+ labels:
+ app: nginx-b
+ applicationId: nginx-b
+ queue: root.tenants.group-b
+ name: nginx-b
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
diff --git a/deployments/examples/authz/acl/nginx-2.yaml b/deployments/examples/authz/acl/nginx-2.yaml
new file mode 100644
index 0000000..66d2e0d
--- /dev/null
+++ b/deployments/examples/authz/acl/nginx-2.yaml
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-c
+ name: nginx-c
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-c
+ template:
+ metadata:
+ labels:
+ app: nginx-c
+ applicationId: nginx-c
+ queue: root.tenants.group-c
+ name: nginx-c
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-d
+ name: nginx-d
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-d
+ template:
+ metadata:
+ labels:
+ app: nginx-d
+ applicationId: nginx-d
+ queue: root.tenants.group-b
+ name: nginx-d
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
diff --git a/deployments/examples/authz/acl/nginx-3.yaml b/deployments/examples/authz/acl/nginx-3.yaml
new file mode 100644
index 0000000..33701c8
--- /dev/null
+++ b/deployments/examples/authz/acl/nginx-3.yaml
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-e
+ name: nginx-e
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-e
+ template:
+ metadata:
+ labels:
+ app: nginx-e
+ applicationId: nginx-e
+ queue: root.tenants.group-a
+ name: nginx-e
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-f
+ name: nginx-f
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-f
+ template:
+ metadata:
+ labels:
+ app: nginx-f
+ applicationId: nginx-f
+ queue: root.tenants.group-b
+ name: nginx-f
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
diff --git a/deployments/examples/authz/acl/yunikorn-configs.yaml b/deployments/examples/authz/acl/yunikorn-configs.yaml
new file mode 100644
index 0000000..c511c90
--- /dev/null
+++ b/deployments/examples/authz/acl/yunikorn-configs.yaml
@@ -0,0 +1,39 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ConfigMap
+metadata:
+ name: yunikorn-configs
+ namespace: yunikorn
+apiVersion: v1
+data:
+ admissionController.accessControl.externalGroups: "admin,group-a,group-b"
+ queues.yaml: |
+ partitions:
+ - name: default
+ queues:
+ - name: root
+ queues:
+ - name: system
+ adminacl: " admin"
+ - name: tenants
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ - name: group-b
+ adminacl: " group-b"
+
diff --git a/deployments/examples/authz/k8s-api-access/.gitignore b/deployments/examples/authz/k8s-api-access/.gitignore
new file mode 100644
index 0000000..9dcf5dc
--- /dev/null
+++ b/deployments/examples/authz/k8s-api-access/.gitignore
@@ -0,0 +1 @@
+certification_request.yaml
diff --git a/deployments/examples/authz/k8s-api-access/authorization.yaml b/deployments/examples/authz/k8s-api-access/authorization.yaml
new file mode 100644
index 0000000..d5e212f
--- /dev/null
+++ b/deployments/examples/authz/k8s-api-access/authorization.yaml
@@ -0,0 +1,68 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: yunikorn-users
+rules:
+- apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["get", "watch", "list", "create", "patch", "update", "delete"]
+- apiGroups: ["apps"]
+ resources: ["deployments"]
+ verbs: ["get", "watch", "list", "create", "patch", "update", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: yunikorn-users
+subjects:
+- kind: Group
+ name: admin
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: admin
+ apiGroup: rbac.authorization.k8s.io
+- kind: Group
+ name: group-a
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: sue
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: bob
+ apiGroup: rbac.authorization.k8s.io
+- kind: Group
+ name: group-b
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: kim
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: yono
+ apiGroup: rbac.authorization.k8s.io
+- kind: User
+ name: anonymous
+ apiGroup: rbac.authorization.k8s.io
+- kind: Group
+ name: anonymous
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: yunikorn-users
+ apiGroup: rbac.authorization.k8s.io
diff --git a/deployments/examples/authz/k8s-api-access/create-user.sh b/deployments/examples/authz/k8s-api-access/create-user.sh
new file mode 100755
index 0000000..14cea43
--- /dev/null
+++ b/deployments/examples/authz/k8s-api-access/create-user.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+USERS=("admin admin" "sue group-a" "bob group-a" "kim group-b" "yono group-b" "anonymous anonymous")
+AUTH_FOLDER=./auth
+CERT_REQUEST_FILE=./certification_request.yaml
+
+mkdir -p $AUTH_FOLDER
+for ((i = 0; i < ${#USERS[@]}; ++i)); do
+ USER=(${USERS[i]})
+ USERNAME=${USER[0]}
+ GROUP=${USER[1]}
+ AUTH_FILE=$AUTH_FOLDER/$USERNAME
+ echo "username: $USERNAME , group: $GROUP"
+ # create a CSR for the user
+ openssl genrsa -out "$AUTH_FILE".key 2048
+ openssl req -new -key "$AUTH_FILE".key -out "$AUTH_FILE".csr -subj "/CN=$USERNAME/O=$GROUP"
+
+ # write a file for certification request & use kubectl to approve the request
+ {
+ echo "apiVersion: certificates.k8s.io/v1"
+ echo "kind: CertificateSigningRequest"
+ echo "metadata:"
+ echo " name: $USERNAME-csr"
+ echo "spec:"
+ echo " groups:"
+ echo " - system:authenticated"
+ echo " request: $(< "$AUTH_FILE".csr base64 | tr -d '\n')"
+ echo " signerName: kubernetes.io/kube-apiserver-client"
+ echo " usages:"
+ echo " - digital signature"
+ echo " - key encipherment"
+ echo " - client auth"
+ } > $CERT_REQUEST_FILE
+
+ kubectl apply -f ${CERT_REQUEST_FILE}
+ kubectl certificate approve "$USERNAME"-csr
+
+ # get CRT for user
+ kubectl get csr "$USERNAME"-csr -o jsonpath='{.status.certificate}' | base64 --decode > "$AUTH_FILE".crt
+
+ # using CRT & key to set credentials & set context for user
+ kubectl config set-credentials "$USERNAME" --client-certificate="$AUTH_FILE".crt --client-key="$AUTH_FILE".key
+ kubectl config set-context "$USERNAME"-context --cluster=kubernetes --namespace="" --user="$USERNAME"
+
+done
+# apply RBAC for user
+kubectl apply -f ./authorization.yaml
+
diff --git a/deployments/examples/authz/k8s-api-access/remove-user.sh b/deployments/examples/authz/k8s-api-access/remove-user.sh
new file mode 100755
index 0000000..980b802
--- /dev/null
+++ b/deployments/examples/authz/k8s-api-access/remove-user.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+USERS=("admin admin" "sue group-a" "bob group-a" "kim dev" "yono test" "anonymous anonymous")
+
+for ((i = 0; i < ${#USERS[@]}; ++i)); do
+ USER=(${USERS[i]})
+ USERNAME=${USER[0]}
+
+ kubectl delete csr/"$USERNAME"-csr
+ kubectl config unset contexts."$USERNAME"-context
+ kubectl config unset users."$USERNAME"
+done
+
+kubectl delete -f ./authorization.yaml
diff --git a/deployments/examples/authz/placement-rules/create-all.sh b/deployments/examples/authz/placement-rules/create-all.sh
new file mode 100755
index 0000000..7115288
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/create-all.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kubectl apply -f nginx-admin.yaml --context=admin-context
+kubectl apply -f nginx-sue.yaml --context=sue-context
+kubectl apply -f nginx-kim.yaml --context=kim-context
diff --git a/deployments/examples/authz/placement-rules/delete-all.sh b/deployments/examples/authz/placement-rules/delete-all.sh
new file mode 100755
index 0000000..40de274
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/delete-all.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kubectl delete -f nginx-admin.yaml
+kubectl delete -f nginx-sue.yaml
+kubectl delete -f nginx-kim.yaml
diff --git a/deployments/examples/authz/placement-rules/nginx-admin.yaml b/deployments/examples/authz/placement-rules/nginx-admin.yaml
new file mode 100644
index 0000000..15a8bf5
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/nginx-admin.yaml
@@ -0,0 +1,44 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-admin-high-priority
+ applicationId: nginx-admin-high-priority
+ queue: root.system.high-priority
+ name: nginx-admin-high-priority
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-admin-low-priority
+ applicationId: nginx-admin-low-priority
+ queue: root.system.low-priority
+ name: nginx-admin-low-priority
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
diff --git a/deployments/examples/authz/placement-rules/nginx-anonymous.yaml b/deployments/examples/authz/placement-rules/nginx-anonymous.yaml
new file mode 100644
index 0000000..319dd6f
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/nginx-anonymous.yaml
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-anonymous
+ applicationId: nginx-anonymous
+ name: nginx-anonymous
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
diff --git a/deployments/examples/authz/placement-rules/nginx-kim.yaml b/deployments/examples/authz/placement-rules/nginx-kim.yaml
new file mode 100644
index 0000000..3bbc048
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/nginx-kim.yaml
@@ -0,0 +1,44 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-kim-dev
+ applicationId: nginx-kim-dev
+ name: nginx-kim-dev
+ namespace: dev
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-kim-test
+ applicationId: nginx-kim-test
+ name: nginx-kim-test
+ namespace: test
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
diff --git a/deployments/examples/authz/placement-rules/nginx-sue.yaml b/deployments/examples/authz/placement-rules/nginx-sue.yaml
new file mode 100644
index 0000000..c946829
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/nginx-sue.yaml
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: nginx-sue
+ applicationId: nginx-sue
+ name: nginx-sue
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
diff --git a/deployments/examples/authz/placement-rules/yunikorn-configs.yaml b/deployments/examples/authz/placement-rules/yunikorn-configs.yaml
new file mode 100644
index 0000000..bbf1ae9
--- /dev/null
+++ b/deployments/examples/authz/placement-rules/yunikorn-configs.yaml
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ConfigMap
+metadata:
+ name: yunikorn-configs
+ namespace: yunikorn
+apiVersion: v1
+data:
+ admissionController.accessControl.externalGroups: "admin,group-a,group-b"
+ queues.yaml: |
+ partitions:
+ - name: default
+ placementrules:
+ - name: provided
+ create: true
+ filter:
+ type: allow
+ users:
+ - admin
+ groups:
+ - admin
+ parent:
+ name: fixed
+ value: root.system
+ - name: user
+ create: true
+ filter:
+ type: allow
+ groups:
+ - group-a
+ parent:
+ name: fixed
+ value: root.tenants.group-a
+ - name: tag
+ value: namespace
+ create: true
+ filter:
+ type: allow
+ groups:
+ - group-b
+ parent:
+ name: fixed
+ value: root.tenants.group-b
+ queues:
+ - name: root
+ queues:
+ - name: system
+ adminacl: " admin"
+ parent: true
+ - name: tenants
+ parent: true
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ parent: true
+ - name: group-b
+ adminacl: " group-b"
+ parent: true
diff --git a/deployments/examples/authz/priority/nginx-admin.yaml b/deployments/examples/authz/priority/nginx-admin.yaml
new file mode 100644
index 0000000..6061af2
--- /dev/null
+++ b/deployments/examples/authz/priority/nginx-admin.yaml
@@ -0,0 +1,142 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-1
+ applicationId: normal-1
+ queue: root.system.normal-priority
+ name: normal-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-2
+ applicationId: normal-2
+ queue: root.system.normal-priority
+ name: normal-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-3
+ applicationId: normal-3
+ queue: root.system.normal-priority
+ name: normal-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-4
+ applicationId: normal-4
+ queue: root.system.normal-priority
+ name: normal-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-5
+ applicationId: normal-5
+ queue: root.system.normal-priority
+ name: normal-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-6
+ applicationId: normal-6
+ queue: root.system.normal-priority
+ name: normal-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-7
+ applicationId: normal-7
+ queue: root.system.normal-priority
+ name: normal-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
diff --git a/deployments/examples/authz/priority/nginx-kim.yaml b/deployments/examples/authz/priority/nginx-kim.yaml
new file mode 100644
index 0000000..c583c0b
--- /dev/null
+++ b/deployments/examples/authz/priority/nginx-kim.yaml
@@ -0,0 +1,143 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-1
+ applicationId: kim-1
+ queue: root.tenants.group-b
+ name: kim-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-2
+ applicationId: kim-2
+ queue: root.tenants.group-b
+ name: kim-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-3
+ applicationId: kim-3
+ queue: root.tenants.group-b
+ name: kim-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-4
+ applicationId: kim-4
+ queue: root.tenants.group-b
+ name: kim-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-5
+ applicationId: kim-5
+ queue: root.tenants.group-b
+ name: kim-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-6
+ applicationId: kim-6
+ queue: root.tenants.group-b
+ name: kim-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: kim-7
+ applicationId: kim-7
+ queue: root.tenants.group-b
+ name: kim-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+
diff --git a/deployments/examples/authz/priority/nginx-sue.yaml b/deployments/examples/authz/priority/nginx-sue.yaml
new file mode 100644
index 0000000..70d8f9d
--- /dev/null
+++ b/deployments/examples/authz/priority/nginx-sue.yaml
@@ -0,0 +1,142 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-1
+ applicationId: sue-1
+ queue: root.tenants.group-a
+ name: sue-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-2
+ applicationId: sue-2
+ queue: root.tenants.group-a
+ name: sue-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-3
+ applicationId: sue-3
+ queue: root.tenants.group-a
+ name: sue-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-4
+ applicationId: sue-4
+ queue: root.tenants.group-a
+ name: sue-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-5
+ applicationId: sue-5
+ queue: root.tenants.group-a
+ name: sue-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-6
+ applicationId: sue-6
+ queue: root.tenants.group-a
+ name: sue-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: sue-7
+ applicationId: sue-7
+ queue: root.tenants.group-a
+ name: sue-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
diff --git a/deployments/examples/authz/priority/system.yaml b/deployments/examples/authz/priority/system.yaml
new file mode 100644
index 0000000..c350bb2
--- /dev/null
+++ b/deployments/examples/authz/priority/system.yaml
@@ -0,0 +1,448 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-1
+ applicationId: low-1
+ queue: root.system.low-priority
+ name: low-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-2
+ applicationId: low-2
+ queue: root.system.low-priority
+ name: low-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-3
+ applicationId: low-3
+ queue: root.system.low-priority
+ name: low-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-4
+ applicationId: low-4
+ queue: root.system.low-priority
+ name: low-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-5
+ applicationId: low-5
+ queue: root.system.low-priority
+ name: low-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-6
+ applicationId: low-6
+ queue: root.system.low-priority
+ name: low-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-7
+ applicationId: low-7
+ queue: root.system.low-priority
+ name: low-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: low-8
+ applicationId: low-8
+ queue: root.system.low-priority
+ name: low-8
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-1
+ applicationId: normal-1
+ queue: root.system.normal-priority
+ name: normal-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-2
+ applicationId: normal-2
+ queue: root.system.normal-priority
+ name: normal-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-3
+ applicationId: normal-3
+ queue: root.system.normal-priority
+ name: normal-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-4
+ applicationId: normal-4
+ queue: root.system.normal-priority
+ name: normal-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-5
+ applicationId: normal-5
+ queue: root.system.normal-priority
+ name: normal-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-6
+ applicationId: normal-6
+ queue: root.system.normal-priority
+ name: normal-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-7
+ applicationId: normal-7
+ queue: root.system.normal-priority
+ name: normal-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: normal-8
+ applicationId: normal-8
+ queue: root.system.normal-priority
+ name: normal-8
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-1
+ applicationId: high-1
+ queue: root.system.high-priority
+ name: high-1
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-2
+ applicationId: high-2
+ queue: root.system.high-priority
+ name: high-2
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-3
+ applicationId: high-3
+ queue: root.system.high-priority
+ name: high-3
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-4
+ applicationId: high-4
+ queue: root.system.high-priority
+ name: high-4
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-5
+ applicationId: high-5
+ queue: root.system.high-priority
+ name: high-5
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-6
+ applicationId: high-6
+ queue: root.system.high-priority
+ name: high-6
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-7
+ applicationId: high-7
+ queue: root.system.high-priority
+ name: high-7
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+ labels:
+ app: high-8
+ applicationId: high-8
+ queue: root.system.high-priority
+ name: high-8
+spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "1000M"
diff --git a/deployments/examples/authz/priority/yunikorn-configs.yaml b/deployments/examples/authz/priority/yunikorn-configs.yaml
new file mode 100644
index 0000000..27292fe
--- /dev/null
+++ b/deployments/examples/authz/priority/yunikorn-configs.yaml
@@ -0,0 +1,56 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ConfigMap
+metadata:
+ name: yunikorn-configs
+ namespace: yunikorn
+apiVersion: v1
+data:
+ queues.yaml: |
+ partitions:
+ - name: default
+ queues:
+ - name: root
+ properties:
+ application.sort.policy: fifo
+ application.sort.priority: enabled
+ queues:
+ - name: system
+ adminacl: " admin"
+ queues:
+ - name: high-priority
+ properties:
+ priority.offset: "1000"
+ - name: normal-priority
+ properties:
+ priority.offset: "0"
+ - name: low-priority
+ properties:
+ priority.offset: "-1000"
+ - name: tenants
+ properties:
+ priority.policy: "fence"
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ properties:
+ priority.offset: "20"
+ - name: group-b
+ adminacl: " group-b"
+ properties:
+ priority.offset: "5"
diff --git a/deployments/examples/authz/resource-limits/create-all.sh b/deployments/examples/authz/resource-limits/create-all.sh
new file mode 100755
index 0000000..0a36957
--- /dev/null
+++ b/deployments/examples/authz/resource-limits/create-all.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kubectl apply -f nginx-admin.yaml --context=admin-context
+kubectl apply -f nginx-sue.yaml --context=sue-context
diff --git a/deployments/examples/authz/resource-limits/delete-all.sh b/deployments/examples/authz/resource-limits/delete-all.sh
new file mode 100755
index 0000000..0373da4
--- /dev/null
+++ b/deployments/examples/authz/resource-limits/delete-all.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kubectl delete -f nginx-admin.yaml
+kubectl delete -f nginx-sue.yaml
diff --git a/deployments/examples/authz/resource-limits/nginx-admin.yaml b/deployments/examples/authz/resource-limits/nginx-admin.yaml
new file mode 100644
index 0000000..5eaa129
--- /dev/null
+++ b/deployments/examples/authz/resource-limits/nginx-admin.yaml
@@ -0,0 +1,44 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-admin
+ name: nginx-admin
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: nginx-admin
+ template:
+ metadata:
+ labels:
+ app: nginx-admin
+ applicationId: nginx-admin
+ queue: root.system
+ name: nginx-admin
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512M
diff --git a/deployments/examples/authz/resource-limits/nginx-sue.yaml b/deployments/examples/authz/resource-limits/nginx-sue.yaml
new file mode 100644
index 0000000..57a3632
--- /dev/null
+++ b/deployments/examples/authz/resource-limits/nginx-sue.yaml
@@ -0,0 +1,44 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: nginx-sue
+ name: nginx-sue
+spec:
+ replicas: 5
+ selector:
+ matchLabels:
+ app: nginx-sue
+ template:
+ metadata:
+ labels:
+ app: nginx-sue
+ applicationId: nginx-sue
+ queue: root.tenants.group-a
+ name: nginx-sue
+ spec:
+ schedulerName: yunikorn
+ containers:
+ - name: nginx
+ image: nginx:stable-alpine
+ resources:
+ requests:
+ cpu: 500m
+ memory: 512M
diff --git a/deployments/examples/authz/resource-limits/yunikorn-configs.yaml b/deployments/examples/authz/resource-limits/yunikorn-configs.yaml
new file mode 100644
index 0000000..2262016
--- /dev/null
+++ b/deployments/examples/authz/resource-limits/yunikorn-configs.yaml
@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ConfigMap
+metadata:
+ name: yunikorn-configs
+ namespace: yunikorn
+apiVersion: v1
+data:
+ log.level: "0"
+ admissionController.accessControl.externalGroups: "admin,^group-$"
+ queues.yaml: |
+ partitions:
+ - name: default
+ queues:
+ - name: root
+ queues:
+ - name: system
+ adminacl: " admin"
+ resources:
+ guaranteed:
+ {memory: 2G, vcore: 2}
+ max:
+ {memory: 6G, vcore: 6}
+ - name: tenants
+ resources:
+ guaranteed:
+ {memory: 2G, vcore: 2}
+ max:
+ {memory: 4G, vcore: 8}
+ queues:
+ - name: group-a
+ adminacl: " group-a"
+ resources:
+ guaranteed:
+ {memory: 1G, vcore: 1}
+ max:
+ {memory: 2G, vcore: 4}
+ - name: group-b
+ adminacl: " group-b"
+ resources:
+ guaranteed:
+ {memory: 1G, vcore: 1}
+ max:
+ {memory: 2G, vcore: 4}
