Skip to content

Policies Examples

This article provides examples of:

  1. Creating a new rule within a policy
  2. Best practices for adding sections to a policy
  3. A full example of a policy.

Creating a new rule within a policy

This example shows how to add a new limitation to the GPU usage for workloads of type workspace:

  1. Check the workload API fields documentation and select the field(s) that are most relevant for GPU usage.

    {
    "spec": {
        "compute": {
        "gpuDevicesRequest": 1,
        "gpuRequestType": "portion",
        "gpuPortionRequest": 0.5,
        "gpuPortionLimit": 0.5,
        "gpuMemoryRequest": "10M",
        "gpuMemoryLimit": "10M",
        "migProfile": "1g.5gb",
        "cpuCoreRequest": 0.5,
        "cpuCoreLimit": 2,
        "cpuMemoryRequest": "20M",
        "cpuMemoryLimit": "30M",
        "largeShmRequest": false,
        "extendedResources": [
            {
            "resource": "hardware-vendor.example/foo",
            "quantity": 2,
            "exclude": false
            }
        ]
        },
    }
    }
    
  2. Search the field in the Policy YAML fields - reference table. For example, gpuDevicesRequest appears under the Compute fields sub-table and appears as follow:

Fields Description Value type Supported Run:ai workload type
gpuDeviceRequest Specifies the number of GPUs to allocate for the created workload. Only if gpuDeviceRequest = 1, the gpuRequestType can be defined. integer Workspace & Training
  1. Use the value type of the gpuDevicesRequest field indicated in the table - “integer” and navigate to the Value types table to view the possible rules that can be applied to this value type -

    for integer, the options are:

    • canEdit
    • required
    • min
    • max
    • step
  2. Proceed to the Rule Type table, select the required rule for the limitation of the field - for example “max” and use the examples syntax to indicate the maximum GPU device requested.

compute:
    gpuDevicesRequest:
        max: 2

Policy YAML best practices

Create a policy that has multiple defaults and rules

Best practice description: Presentation of the syntax while adding a set of defaults and rules

defaults:
  createHomeDir: true
  environmentVariables:
    instances:
    - name: MY_ENV
      value: my_value
security:
  allowPrivilegeEscalation: false

rules:
  storage:
    s3:
      attributes:
        url:
          options:
            - value: https://www.google.com
            displayed: https://www.google.com
            - value: https://www.yahoo.com
            displayed: https://www.yahoo.com
Allow only single selection out of many

Best practice description: Blocking the option to create all types of data sources except the one that is allowed is the solution.

rules:
  storage:
    dataVolume:
      instances:
        canAdd: false
    hostPath:
      instances:
        canAdd: false
    pvc:
      instances:
        canAdd: false
    git:
      attributes:
        repository:
          required: true
        branch:
          required: true
        path:
          required: true
    nfs:
      instances:
        canAdd: false
    s3:
      instances:
        canAdd: false
Create a robust set of guidelines

Best practice description: Set rules for specific compute resource usage, addressing most relevant spec fields

rules:
  compute:
    cpuCoreRequest:
      required: true
      min: 0
      max: 8
    cpuCoreLimit:
      min: 0
      max: 8
    cpuMemoryRequest:
      required: true
      min: '0'
      max: 16G
    cpuMemoryLimit:
      min: '0'
      max: 8G
    migProfile:
      canEdit: false
    gpuPortionRequest:
      min: 0
      max: 1
    gpuMemoryRequest:
      canEdit: false
    extendedResources:
      instances:
        canAdd: false
Environment creation (specific section)
rules:
  imagePullPolicy:
    required: true
    options:
    - value: Always
      displayed: Always
    - value: Never
      displayed: Never
  createHomeDir:
    canEdit: false
Setting security measures (specific section)
rules:
  security:
    runAsUid:
      min: 1
      max: 32700
    allowPrivilegeEscalation:
      canEdit: false
Policy for distributed training workloads (specific section)

Best practice description: Set rules and defaults for a distributed training workload with different settings for master and worker

defaults:
  worker:
    command: my-command-worker-1
    environmentVariables:
      instances:
        - name: LOG_DIR
          value: policy-worker-to-be-ignored
        - name: ADDED_VAR
          value: policy-worker-added
   security:
    runAsUid: 500
  storage:
     s3:
     attributes:
       bucket: bucket1-worker
 master:
   command: my-command-master-2
   environmentVariables:
     instances:
       - name: LOG_DIR
         value: policy-master-to-be-ignored
       - name: ADDED_VAR
         value: policy-master-added
    security:
      runAsUid: 800
    storage:
     s3:
       attributes:
         bucket: bucket1-master
 rules:
   worker:
     command:
       options:
         - value: my-command-worker-1
           displayed: command1
         - value: my-command-worker-2
           displayed: command2
     storage:
       nfs:
         instances:
           canAdd: false
       s3:
         attributes:
           bucket:
             options:
               - value: bucket1-worker
               - value: bucket2-worker
   master:
     command:
       options:
         - value: my-command-master-1
           displayed: command1
         - value: my-command-master-2
           displayed: command2
     storage:
       nfs:
         instances:
           canAdd: false
       s3:
         attributes:
           bucket:
             options:
               - value: bucket1-master
               - value: bucket2-master
Impose an asset (specific section)
 defaults: null
 rules: null
 imposedAssets:
   - f12c965b-44e9-4ff6-8b43-01d8f9e630cc

Example of a full policy

defaults:
  createHomeDir: true
  imagePullPolicy: IfNotPresent
  nodePools:
    - node-pool-a
    - node-pool-b
  environmentVariables:
    instances:
      - name: WANDB_API_KEY
        value: REPLACE_ME!
      - name: WANDB_BASE_URL
        value: https://wandb.mydomain.com
  compute:
    cpuCoreRequest: 0.1
    cpuCoreLimit: 20
    cpuMemoryRequest: 10G
    cpuMemoryLimit: 40G
    largeShmRequest: true
  security:
    allowPrivilegeEscalation: false
  storage:
    git:
      attributes:
        repository: https://git-repo.my-domain.com
        branch: master
    hostPath:
      instances:
        - name: vol-data-1
          path: /data-1
          mountPath: /mount/data-1
        - name: vol-data-2
          path: /data-2
          mountPath: /mount/data-2
rules:
  createHomeDir:
    canEdit: false
  imagePullPolicy:
    canEdit: false
  environmentVariables:
    instances:
      locked:
        - WANDB_BASE_URL
  compute:
    cpuCoreRequest:
      max: 32
    cpuCoreLimit:
      max: 32
    cpuMemoryRequest:
      min: 1G
      max: 20G
    cpuMemoryLimit:
      min: 1G
      max: 40G
    largeShmRequest:
      canEdit: false
    extendedResources:
      instances:
        canAdd: false
  security:
    allowPrivilegeEscalation:
      canEdit: false
    runAsUid:
      min: 1
  storage:
    hostPath:
      instances:
        locked:
          - vol-data-1
          - vol-data-2
imposedAssets:
  - 4ba37689-f528-4eb6-9377-5e322780cc27