[Core] Admin policy enforcement plugin #3966

Michaelvll · 2024-09-20T01:00:41Z

This PR allows the admin to bring a customized policy enforcement script in Python, which can apply any mutation to all user tasks based on customized policy requirements.

Usage:

User-side

In ~/.sky/config.yaml:

policy: my_package.skypilot_policy_fn

Admin-side

Create the skypilot_policy_fn function with the following signature:

def skypilot_policy_fn(user_task: sky.UserTask) -> sky.MutatedUserTask:
    pass

See policy.py for the definition of these two types.

TODO:

Check when to apply policy, e.g. skip the policy apply for exec? (Let's apply for both for now)
Upload policy package to controllers (We now apply the policy locally before uploading to controller, so this should be fine)
Add to config.rst
Add to some admin doc page for how to set this up
Policy name/hash label (blocked by [UX] Make labels work in task.yaml without the requirement for specifying cloud #3965)

Tested (run the relevant ones):

Code formatting: bash format.sh
Any manual or new tests for this PR (please specify below)
- normal launch with customized labels
- normal launch/exec with autostop enforcement
- jobs launch with customized labels
- jobs launch with autostop enforcement
- service launch with customized labels

export SKYPILOT_CONFIG='/home/gcpuser/skypilot-dev/examples/admin_policy/config_label_config.yaml'
sky serve up -n test-global-label examples/serve/http_server/task.yaml --cloud gcp

All smoke tests: pytest tests/test_smoke.py
Relevant individual smoke tests: pytest tests/test_smoke.py::test_fill_in_the_name
Backward compatibility tests: conda deactivate; bash -i tests/backward_compatibility_tests.sh

docs/source/reference/config.rst

examples/policy/example_policy/example_policy/skypilot_policy.py

sky/policy.py

concretevitamin · 2024-09-20T20:28:24Z

sky/serve/core.py

@@ -124,6 +125,8 @@ def up(

    _validate_service_task(task)

+    task = policy.Policy().apply_to_task(task)


A bit unclear if it's in-place since it also returns the task. How about "apply_in_place"?

It is not in-place. Either way is fine, but I found not in-place is more commonly seen operations.

sky/utils/dag_utils.py

sky/policy.py

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

…olicy-hook

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

…olicy-hook

concretevitamin

LGTM @Michaelvll. I think two TODOs before merging:

(1) Smoke tests, since this touches config / backend
(2) Update PR description (policy)

docs/source/cloud-setup/policy.rst

examples/admin_policy/example_policy/example_policy/skypilot_policy.py

sky/execution.py

tests/unit_tests/test_admin_policy.py

examples/admin_policy/example_policy/example_policy/skypilot_policy.py

concretevitamin · 2024-09-23T14:50:01Z

sky/execution.py

-        cluster_exists = existing_handle is not None
+        cluster_record = global_user_state.get_cluster_from_name(cluster_name)
+        cluster_exists = cluster_record is not None
+        cluster_running = (cluster_record is not None and


Q: what's the latency impact of this policy on sky launch/exec? Is it small? Do we expect users to use this example policy and be ok with the latency?

docs/source/cloud-setup/policy.rst

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

…olicy-hook

…-hook

Michaelvll · 2024-09-24T01:42:33Z

Tested:

pytest tests/test_smoke.py (failed [Azure] test_cancel_azure failed due to error of resnet user program #3974 , [GCP] test_gcp_disk_tier for best tier failed due to best tier not mapping to pd-extreme #3973; fixed test_skyserve_fast_update)

Michaelvll added 4 commits September 19, 2024 22:01

support policy hook

cb28b8d

test task labels

b64efa0

Add test for policy that sets labels

cf89929

Fix comment

54c93ea

Michaelvll changed the title ~~[Core] Customized policy enforcement Plugin~~ [Core] Customized policy enforcement plugin Sep 20, 2024

Michaelvll added 10 commits September 20, 2024 01:14

format

1d1c500

use -e to make test related files visible

a0bdb2c

Add config.rst

543e66a

Fix test

520a2a1

fix config rst

b533351

Apply policy to service

466f7fe

add policy for serving

050dc7a

Add docs

31e0174

fix

0c74f2a

format

48a6cc9

concretevitamin reviewed Sep 20, 2024

View reviewed changes

Michaelvll added 14 commits September 20, 2024 22:33

Update interface

1ca5a8a

fix

14b2346

Fix

cb39c73

fix

1e3ddef

Fix test config

aa87df7

Fix mutated config

28487a4

fix

d1f0480

Add policy doc

f42ace5

rename

c04f3dc

minor

58f413c

Add additional arguments for autostop

52053bd

fix mypy

4a4f682

format

a8d1c44

rejected message

6c73d81

Michaelvll and others added 15 commits September 23, 2024 00:27

wip

a6dd900

Update docs/source/cloud-setup/policy.rst

4274287

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

Update docs/source/cloud-setup/policy.rst

0609482

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

Update docs/source/cloud-setup/policy.rst

67552d7

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

fix

7de757e

Merge branch 'policy-hook' of github.com:skypilot-org/skypilot into p…

8443ddc

…olicy-hook

fix

7fbc30d

fix

92b68fc

Use sky.status for autostop

7d8af9a

update policy

5b37f47

Update docs/source/cloud-setup/policy.rst

c7af310

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

fix policy.rst

cb232a8

Merge branch 'policy-hook' of github.com:skypilot-org/skypilot into p…

5e9f544

…olicy-hook

Add comment

deb4c92

Fix logging

cbff59d

Michaelvll changed the title ~~[Core] Customized policy enforcement plugin~~ [Core] Admin policy enforcement plugin Sep 23, 2024

fix CI

1fe350a

Michaelvll requested a review from concretevitamin September 23, 2024 07:30

concretevitamin approved these changes Sep 23, 2024

View reviewed changes

Michaelvll and others added 6 commits September 23, 2024 10:07

Update docs/source/cloud-setup/policy.rst

2e8e41c

Co-authored-by: Zongheng Yang <zongheng.y@gmail.com>

Use sphnix inline code

aae42ce

Merge branch 'policy-hook' of github.com:skypilot-org/skypilot into p…

73c8fb7

…olicy-hook

Add comment

11bbd5e

fix skypilot config file mounts for jobs and serve

3630535

Merge branch 'master' of github.com:skypilot-org/skypilot into policy…

e020dea

…-hook

Michaelvll added this pull request to the merge queue Sep 24, 2024

Merged via the queue into master with commit 800f7d6 Sep 24, 2024
20 checks passed

Michaelvll deleted the policy-hook branch September 24, 2024 04:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Core] Admin policy enforcement plugin #3966

[Core] Admin policy enforcement plugin #3966

Michaelvll commented Sep 20, 2024 •

edited

Loading

concretevitamin Sep 20, 2024

Michaelvll Sep 20, 2024

concretevitamin left a comment

concretevitamin Sep 23, 2024

Michaelvll commented Sep 24, 2024

		@@ -124,6 +125,8 @@ def up(

		_validate_service_task(task)

		task = policy.Policy().apply_to_task(task)

[Core] Admin policy enforcement plugin #3966

[Core] Admin policy enforcement plugin #3966

Conversation

Michaelvll commented Sep 20, 2024 • edited Loading

Usage:

User-side

Admin-side

concretevitamin Sep 20, 2024

Choose a reason for hiding this comment

Michaelvll Sep 20, 2024

Choose a reason for hiding this comment

concretevitamin left a comment

Choose a reason for hiding this comment

concretevitamin Sep 23, 2024

Choose a reason for hiding this comment

Michaelvll commented Sep 24, 2024

Michaelvll commented Sep 20, 2024 •

edited

Loading