Add support for securityContext per deployment #18249
Conversation
nwalens
requested review from
ashb,
dimberman,
jedcunningham and
kaxil
as code owners
nwalens
changed the title
There was a problem hiding this comment.
My initial thought is we should move the component specific params from podSecurity.<component>.securityContext to <component>.podSecurity.securityContext. Basically, don't follow the lead of images, but of serviceAccount, command, args, etc. Thoughts/input @kaxil?
|
Needs rebase (and some comments application) |
|
Hello @nwalens - can you rebase please? |
|
@potiuk the code was rebased. I'm still testing it after applying the changes @jedcunningham has requested and I am having some issues with several tests. |
|
Basic tests should be working fine and behaving the same as the current chart. Basically, when a configuration is not set for a component, it will default to podSecurity.securityContext or podSecurity.containerSecurityContext. securityContext will be set for the whole Pod and containerSecurityContext for each container within the pod. |
There was a problem hiding this comment.
As for uid and gid, we either need to add backwards compatibility for them, or we need to wait for 2.0.0 of the chart.
One option to add backwards compatibility might be to add a template to _helper to render the default, allowing the logic of using podSecurity.securityContext or uid and gid to be contained and implemented once. Types may make it not a simple drop-in with the default | toYaml you currently have, but would still be reasonable.
|
You need to rebase and resolve the conflicts, I am afraid. |
nwalens
requested review from
bbovenzi,
ephraimbuddy and
jhtimmins
as code owners
|
Can you fix the conflicts one more time please and mention us when you are done? |
|
@kaxil rebased as requested. |
|
any reason you did not touch pg bouncer? |
- Create a rolebinding for all required service accounts so they can use the anyuid SCC in openshift. Signed-off-by: Ney walens De Mesquita <[email protected]>
dstandish
force-pushed
the
feature/securityContext
branch
from
68c9749
to
7b7ca6a
Compare
github-actions
bot
added
the
okay to merge
|
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
At first the intention was to cover whatever was referencing the global UID and GID parameters, in a later stage it was extended to some components like gitSync and Triggerer due to the integration they have with the main components. What do you think? Should it be extended to the likes of pgBouncer and redis at this point? |
@ashb - On a second thought, I'm not sure we should test that. This PR does not allow for using UID and GID + securityContext + .securityContext. If you set .securityContext, the values set here will be used and all other values from UID, GID and securityContext ignored. They don't add on top of each other. The order they currently follow is .securityContext > securityContext > (UID & GID). |
- rename globalSecurityContext to airflowSecurityContext - rename globalSecurityContextIds to airflowSecurityContextIds - improve comments to guide on the template usage
Let's leave these for a future PR. @ash, there is already coverage for the local vs global vs uid/gid precedence, so we should be good on that front. |
|
Thanks for the contribution @nwalens 🎉! (also thanks for being patient) |
closes: #17744
related: #18136
This PR replaces the global "uid" and "gid" with a per deployment securityContext setting.
Fields are configured as follows:
The default will be used in case the individual setting is disabled.
This change allows for more configurability and allows the usage of arbitrary securityContexts as permitted by the official docker images.
The issue #18136 still requires the PR #18147 for Openshift clusters since there is no option to remove securityContexts altogether.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.