-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow airflow standard images to run in openshift utilising the official helm chart #18136 #18147
Conversation
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure of all the details but some initial comments
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we check that the serviceaccounts are being created?
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
@jedcunningham I hope I managed to fix all issues you pointed out. Sorry for the trouble and thanks for the help! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nwalens, I apologize, but looking again I think I was wrong with checking <component>.serviceAccount.create
. I think we want them to be set regardless and the <component>.serviceAccountName
templates handles the details. Sorry about that!
chart/templates/rbac/security-context-constraint-rolebinding.yaml
Outdated
Show resolved
Hide resolved
- Create a rolebinding for all required service accounts so they can use the anyuid SCC in openshift. Signed-off-by: Ney walens De Mesquita <walens@gmail.com>
- Support openshift securityContextConstraints in order to allow pods to run with anyuid scc. - The option is disabled by default since it is specific to openshift 4 setups Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
- SCCs will always be cluster roles Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
- simplify the parameter name - add checks for service accounts so we do not bind the role to unexisting accounts Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
- Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
- The feature will be released in a future release Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
- This will ensure that the correct values for each service account are properly checked Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
No worries at all. I have removed the checks as requested. |
@nwalens, looks good. Can you add at least a basic test to make sure it is created when enabled and has the right |
@nwalens Flower tests are at https://github.com/apache/airflow/blob/main/chart/tests/test_flower.py which you can use as an example |
Approved - but the test mentioned by @jedcunningham should be added |
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
Signed-of-by: Ney Walens De Mesquita <walens@gmail.com>
@jedcunningham and @potiuk, sorry for the late reply. I have just rebased and added the unit test. Thanks a lot. |
Some static/helm unit test failed |
Awesome work, congrats on your first merged pull request! |
🎉 🎉 🎉 🎉 🎉 🎉 |
Thank you very much! |
This pull request adds the parameter rbac.createSCCRoleBinding.
When enabled, a new RoleBinding object will be created targeting the various serviceAccounts utilised by deployments and pods.
The roleBinding will target the
system:openshift:scc:anyuid
cluster role which allows for pods to start with any arbitrary uid.The ideal solution would also add the possibility of removing the security contexts altogether, however this would not be possible due to a number of pod templates setting different uids.
I will investigate the possibility to add the option of removing the security contexts so that openshift can then set its own uid as intended.
As it is, the pods will start and work as expected, utilising the predefined uids set in values file or the default image uid as set during build.
The change is not intrusive and should work in the current workflow as is. The option is also set to false by default in order to not impact any existing setups.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.