Github repo: https://github.com/apache/yunikorn-k8shim
Please read the architecture doc before reading this one, you will need to understand the 3 layer design of YuniKorn before getting to understand what is the Kubernetes shim.
The YuniKorn Kubernetes shim is responsible for talking to Kubernetes, it is responsible for translating the Kubernetes cluster resources, and resource requests via scheduler interface and send them to the scheduler core. And when a scheduler decision is made, it is responsible for binding the pod to the specific node. All the communication between the shim and the scheduler core is through the scheduler-interface.
The admission controller runs in a separate pod, it runs a mutation webhook and a validation webhook, where:
mutation webhook
mutates pod spec by:schedulerName: yunikorn
applicationId
labelapplicationId
exists, reuse the given applicationId.spark-app-selector
exists, reuse the given spark app ID.yunikorn-<namespace>-autogen
. This is unique per namespace.queue
labelqueue
exists, reuse the given queue name. Note, if placement rule is enabled, values set in the label is ignored.queue: root.default
disableStateAware
labeldisableStateAware: true
. This causes the generated application to immediately transition from the Starting
to Running
state so that it will not block other applications.validation webhook
validates the configuration set in the configmapBy default, the admission controller is deployed as part of the YuniKorn Helm chart installation. This can be disabled if necessary (though not recommended) by setting the Helm parameter embedAdmissionController
to false
.
On startup, the admission controller performs a series of tasks to ensure that it is properly registered with Kubernetes:
admission-controller-secrets
. This secret stores a pair of CA certificates which are used to sign the TLS server certificate used by the admission controller.yunikorn-admission-controller-validations
and yunikorn-admission-controller-mutations
. If the CA certificates have changed, the webhooks will also be updated. These webhooks allow the Kubernetes API server to connect to the admission controller service to perform configmap validations and pod mutations.Additionally, the admission controller also starts a background task to wait for CA certificates to expire. Once either certificate is expiring within the next 30 days, new CA and server certificates are generated, the webhook configurations are updated, and the HTTPS server is quickly restarted. This ensures that certificates rotate properly without downtime.
In production clusters, it is recommended to deploy the admission controller with two replicas by setting the Helm parameter admissionController.replicaCount
to 2
. This will ensure that at least one admission controller webhook is reachable by the Kubernetes API server at all times. In this configuration, the CA certificates and webhook configurations are shared between the instances.