From 58f088d94915ecfa3b8f552f55751fd2b26ebca5 Mon Sep 17 00:00:00 2001 From: Yaron Date: Tue, 23 Jul 2024 14:48:27 +0300 Subject: [PATCH] policies-example --- docs/admin/workloads/policies/README.md | 93 ++++++++++++------------- 1 file changed, 45 insertions(+), 48 deletions(-) diff --git a/docs/admin/workloads/policies/README.md b/docs/admin/workloads/policies/README.md index f76540e3ad..bdb3a90afb 100644 --- a/docs/admin/workloads/policies/README.md +++ b/docs/admin/workloads/policies/README.md @@ -8,16 +8,16 @@ date: 2023-Dec-12 ## Introduction -*Policies* allow administrators to impose restrictions and set default values for researcher workloads. Restrictions and default values can be placed on CPUs, GPUs, and other resources or entities. Enabling the *New Policy Manager* provides information about resources that are non-compliant to applied policies. Resources that are non-compliant will appear greyed out. To see how a resource is not compliant, press on the clipboard icon in the upper right hand corner of the resource. +*Policies* allow administrators to impose restrictions and set default values for researcher workloads. Restrictions and default values can be placed on CPUs, GPUs, and other resources or entities. Enabling the *New Policy Manager* provides information about resources that are non-compliant to applied policies. Resources that are non-compliant will appear greyed out. To see how a resource is not compliant, press on the clipboard icon in the upper right-hand corner of the resource. !!! Note - Policies from Run:ai versions 2.15 or lower will still work after enabling the *New Policy Manager*. However, showing non-compliant policy rules will not be available. For more information about policies for version 2.15 or lower, see [What are Policies](policies.md#what-are-policies). + Policies from Run:ai versions 2.17 or lower will still work after enabling the New Policy Manager. For more information about policies for version 2.17 or lower, see [What are Policies](policies.md#what-are-policies). For example, an administrator can create and apply a policy that will restrict researchers from requesting more than 2 GPUs, or less than 1GB of memory per type of workload. Another example is an administrator who wants to set different amounts of CPU, GPUs and memory for different kinds of workloads. A training workload can have a default of 1 GB of memory, or an interactive workload can have a default amount of GPUs. -Policies are created for each Run:ai project (Kubernetes namespace). When a policy is created in the `runai` namespace, it will take effect when there is no project-specific policy for the workloads of the same kind. +Policies are created for each Run:ai project (Kubernetes namespace). When a policy is created in the `runai` namespace, it will take effect when there is no project-specific policy for workloads of the same kind. In interactive workloads or workspaces, applied policies will only allow researchers access to resources that are permitted in the policy. This can include compute resources as well as node pools and node pool priority. @@ -47,7 +47,7 @@ A policy configured to a specific scope, is applied to all elements in that scop ### Policy Editor UI -Policies are added to the system using the policy editor and are written in YAML format. YAML™ is a human-friendly, cross language, Unicode based data serialization language designed around the common native data types of dynamic programming languages. It is useful for programming needs ranging from configuration files to internet messaging to object persistence to data auditing and visualization. For more information, see [YAML.org](https://yaml.org/){target=_blank}. +Policies are added to the system using the policy editor and are written in YAML format. YAML™ is a human-friendly, cross-language, Unicode-based data serialization language designed around the common native data types of dynamic programming languages. It is useful for programming needs ranging from configuration files to internet messaging to object persistence to data auditing and visualization. For more information, see [YAML.org](https://yaml.org/){target=_blank}. ### Policy API @@ -59,50 +59,47 @@ The following is an example of a workspace policy you can apply in your platform ```YAML defaults: - environment: - allowPrivilegeEscalation: false - createHomeDir: true - environmentVariables: - - name: MY_ENV - value: my_value - workspace: - allowOverQuota: true + createHomeDir: true + environmentVariables: + instances: + - name: MY_ENV + value: my_value + security: + allowPrivilegeEscalation: false rules: - compute: - cpuCoreLimit: - min: 0 - max: 9 - required: true - gpuPortionRequest: - min: 0 - max: 10 + imagePullPolicy: + required: true + options: + - value: Always + displayed: Always + - value: Never + displayed: Never + createHomeDir: + canEdit: false + security: + runAsUid: + min: 1 + max: 32700 + allowPrivilegeEscalation: + canEdit: false + compute: + cpuCoreLimit: + required: true + min: 0 + max: 9 + gpuPortionRequest: + min: 0 + max: 10 + storage: + nfs: + instances: + canAdd: false s3: - url: - options: - - displayed: "https://www.google.com" - value: "https://www.google.com" - - displayed: "https://www.yahoo.com" - value: "https://www.yahoo.com" - environment: - imagePullPolicy: - options: - - displayed: "Always" - value: "Always" - - displayed: "Never" - value: "Never" - required: true - runAsUid: - min: 1 - max: 32700 - createHomeDir: - canEdit: false - allowPrivilegeEscalation: - canEdit: false - workspace: - allowOverQuota: - canEdit: false - imposedAssets: - dataSources: - nfs: - canAdd: false + attributes: + url: + options: + - value: https://www.google.com + displayed: https://www.google.com + - value: https://www.yahoo.com + displayed: https://www.yahoo.com ```