Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update KubeExecutor pod templates to allow access to IAM token files #15669

Merged
merged 1 commit into from May 6, 2021
Merged

Update KubeExecutor pod templates to allow access to IAM token files #15669

merged 1 commit into from May 6, 2021

Conversation

ashb
Copy link
Member

@ashb ashb commented May 5, 2021

If AWS's Identity-based IAM policies are in use on the cluster they
token file will be mounted in to the pod (via the service account) and,
prior to this change, will be owned by root.

Specifying fsGroup makes the file group-readable by the airflow
user.

We already specify this in our helm chart, so this change is just for
anyone looking at the docs.

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

@ashb ashb requested a review from dimberman as a code owner May 5, 2021 10:55
@boring-cyborg boring-cyborg bot added the provider:cncf-kubernetes Kubernetes provider related issues label May 5, 2021
@ashb ashb requested a review from jedcunningham May 5, 2021 10:55
@github-actions
Copy link

github-actions bot commented May 5, 2021

The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease.

@github-actions github-actions bot added the full tests needed We need to run full set of tests for this PR to merge label May 5, 2021
@ashb
Update KubeExecutor pod templates to allow access to IAM permissions
a58ad55 
If AWS's Identity-based IAM policies are in use on the cluster they
token file will be mounted in to the pod (via the service account) and,
prior to this change, will be owned by root.

Specifying `fsGroup` makes the file group-readable by the `airflow`
user.

We already specify this in our helm chart, so this change is just for
anyone looking at the docs.
@ashb ashb force-pushed the iam-access-kube-exec-templates branch from 2d49561 to a58ad55 Compare May 5, 2021 20:15
@ashb ashb merged commit 1024c92 into apache:master May 6, 2021
@ashb ashb deleted the iam-access-kube-exec-templates branch May 6, 2021 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaxil kaxil kaxil approved these changes

@jedcunningham jedcunningham jedcunningham approved these changes

@dimberman dimberman Awaiting requested review from dimberman

Assignees
No one assigned
Labels
full tests needed We need to run full set of tests for this PR to merge provider:cncf-kubernetes Kubernetes provider related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ashb @kaxil @jedcunningham