Add securityContexts in dagProcessor.logGroomerSidecar

[aldwyn]

Official Helm Chart version

1.10.0 (latest released)

Apache Airflow version

2.7.1

Kubernetes Version

1.26.7

Helm Chart configuration

No response

Docker Image customizations

No response

What happened

When enabling dagProcessor.logGroomerSidecar, our OPA gatekeeper flags the dag-processor-log-groomer container with the appropriate non-root permissions. There is no way to set the securityContexts for this sidecar as it is not even enabled.

What you think should happen instead

The securityContexts setting for the dag-processor-log-groomer container should be configurable.

How to reproduce

In the Helm values, set dagProcessor.logGroomerSidecar to true.

Anything else

This problem occurs when there are OPA policies in place pertaining to strict securityContexts settings.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[MPParsley]

Hi @aldwyn, do you have an example values.yml file to set a securityContext?

[aldwyn]

Hi @MPParsley , here's the sample values.yaml config for the dagProcessor only:

dagProcessor:
  enabled: true
  waitForMigrations:
    enabled: false
  resources:
    limits:
      cpu: 700m
      memory: 512Mi
    requests:
      cpu: 700m
      memory: 512Mi
  logGroomerSidecar:
    enabled: true
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
    securityContexts:
      container:
        runAsNonRoot: true
        runAsUser: 50000
        runAsGroup: 1000
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        # readOnlyRootFilesystem: true
        seccompProfile:
          type: RuntimeDefault