Custom Jobs Configuration¶

Configuration Values¶

To configure these option, refer to the Tuning Datarobot Environment Variables section of this guide.

設定	説明	デフォルト
`IMAGE_BUILDER_CUSTOM_JOB_EXECUTION_REGISTRY_REPO`	Repository in registry for custom jobs	`custom-jobs/managed-image`
`CUSTOM_JOB_EXECUTION_MEM_REQUEST`	Underlying k8s job container memory request	`134217728` (128 MB)
`CUSTOM_JOB_EXECUTION_MEM_LIMIT`	Underlying k8s job container memory limit	`1073741824` (1 GB)
`CUSTOM_JOB_EXECUTION_CPU_REQUEST`	Underlying k8s job container CPU request	`1`
`CUSTOM_JOB_EXECUTION_CPU_LIMIT`	Underlying k8s job container CPU limit	`4`
`CUSTOM_JOB_EXECUTION_TIMEOUT`	Underlying k8s job active deadline, in seconds	`1800` (30 minutes)
`CUSTOM_JOB_EXECUTION_FETCH_LOG_FAST_LIMIT`	Maximum number of bytes of log to fetch for active custom job	`1048576` (1 MB)
`CUSTOM_JOB_EXECUTION_FETCH_LOG_LIMIT`	Maximum number of bytes of log to fetch when custom job finishes	`10485760` (10 MB)
`CUSTOM_JOB_MAX_TOTAL_FILES_SIZE`	Maximum number of bytes of content stored allowed for each custom job	`10485760` (10 MB)
`CUSTOM_JOB_RUN_LIMIT`	Number of active custom jobs allowed for each user	`1`
`CUSTOM_JOB_RUN_HOSTED_CUSTOM_METRICS_LIMIT`	Number of active hosted metrics custom jobs allowed for each user	`5`
`CUSTOM_JOB_SECURITY_CONTEXT_USER_ID`	User ID for built custom job images + `runAsUser` on the k8s job objects	`2000`
`CUSTOM_JOB_SECURITY_CONTEXT_GROUP_ID`	Group ID for built custom job images + `runAsGroup` on the k8s job objects	`2000`
`CUSTOM_JOB_EXECUTION_SHARED_NAMESPACE`	K8s namespace where Custom Jobs k8s objects will be created	DataRobot cluster namespace
`CUSTOM_JOB_IS_ALLOWED_TO_CREATE_NETWORK_POLICIES`	Whether to allow custom jobs to create network policies in the cluster. If set to `False` it is assumed that the relevant network policies would be created by the cluster's admin	`True`

Network Policies¶

By default, custom jobs create network policies according to user's configuration from the user interface. The policies are created at a namespace level and are associated with certain custom job by using labels.

There are three levels of network policies that are created, depending on the user's configuration: 1. A deny all policy that blocks all traffic to and from the custom job - it is always being used. 2. A platform policy that allows traffic to and from services installed in the k8s cluster - it is used only when the public access is configured. 3. A public policy that allows traffic to the internet - it is used only when the public access is configured.

If the EngConfig CUSTOM_JOB_IS_ALLOWED_TO_CREATE_NETWORK_POLICIES is set to False, then those network policies are expected to be installed by the cluster's admin.

Network Policies Resources¶

Below are the network policies resources that are associated with custom jobs. Let's assume a shared namespace awesome-datarobot.

NOTE: the labels used in these network policies resources should not be changed. They are being used by the custom jobs to identify the policies.

A deny all policy that blocks all traffic to and from the custom job:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: custom-job-deny-all
   namespace: awesome-datarobot
spec:
   podSelector:
      matchLabels:
         task-type: custom-job
   policyTypes:
      - Ingress
      - Egress

A platform policy that allows traffic to and from services installed in the k8s cluster:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: custom-job-platform-access
  namespace: awesome-datarobot
spec:
  egress:
  - ports:
    - port: 53
      protocol: UDP
    to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  - ports:
    - port: 5353
      protocol: UDP
    to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  - ports:
    - port: 5353
      protocol: TCP
    to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  - ports:
    - port: 8080
      protocol: TCP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: awesome-datarobot
      podSelector:
        matchLabels:
          role: core-nginx
  podSelector:
    matchLabels:
      platform-access: "true"
      task-type: custom-job
  policyTypes:
  - Egress

A public policy that allows traffic to the internet:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: custom-job-public-access
  namespace: awesome-datarobot
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
  podSelector:
    matchLabels:
      egress-network-access: public
      task-type: custom-job
  policyTypes:
  - Egress