Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow airflow standard images to run in openshift utilising the official helm chart #18136 #18147

Merged
merged 15 commits into from
Sep 28, 2021
Merged

Allow airflow standard images to run in openshift utilising the official helm chart #18136 #18147

merged 15 commits into from
Sep 28, 2021

Conversation

nwalens
Copy link
Contributor

@nwalens nwalens commented Sep 10, 2021
edited
Loading

This pull request adds the parameter rbac.createSCCRoleBinding.
When enabled, a new RoleBinding object will be created targeting the various serviceAccounts utilised by deployments and pods.
The roleBinding will target the system:openshift:scc:anyuid cluster role which allows for pods to start with any arbitrary uid.
The ideal solution would also add the possibility of removing the security contexts altogether, however this would not be possible due to a number of pod templates setting different uids.
I will investigate the possibility to add the option of removing the security contexts so that openshift can then set its own uid as intended.
As it is, the pods will start and work as expected, utilising the predefined uids set in values file or the default image uid as set during build.

The change is not intrusive and should work in the current workflow as is. The option is also set to false by default in order to not impact any existing setups.

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

@boring-cyborg boring-cyborg bot added the area:helm-chart Airflow Helm Chart label Sep 10, 2021
@boring-cyborg
Copy link

boring-cyborg bot commented Sep 10, 2021

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
Here are some useful points:

  • Pay attention to the quality of your code (flake8, mypy and type annotations). Our pre-commits will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it’s a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

@nwalens nwalens mentioned this pull request Sep 10, 2021
Closed
2 tasks
potiuk
potiuk reviewed Sep 10, 2021
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure of all the details but some initial comments

chart/values.yaml Outdated Show resolved Hide resolved
chart/values.schema.json Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
jedcunningham
jedcunningham reviewed Sep 10, 2021
View reviewed changes
Copy link
Member

@jedcunningham jedcunningham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we check that the serviceaccounts are being created?

chart/CHANGELOG.txt Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
chart/values.yaml Outdated Show resolved Hide resolved
chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
@nwalens
Copy link
Contributor Author

nwalens commented Sep 10, 2021

@jedcunningham I hope I managed to fix all issues you pointed out.

Sorry for the trouble and thanks for the help!

@mik-laj mik-laj linked an issue Sep 12, 2021 that may be closed by this pull request
Allow airflow standard images to run in openshift utilising the official helm chart #18136
Closed
2 tasks
@nwalens nwalens mentioned this pull request Sep 14, 2021
Merged
jedcunningham
jedcunningham reviewed Sep 15, 2021
View reviewed changes
Copy link
Member

@jedcunningham jedcunningham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nwalens, I apologize, but looking again I think I was wrong with checking <component>.serviceAccount.create. I think we want them to be set regardless and the <component>.serviceAccountName templates handles the details. Sorry about that!

chart/templates/rbac/security-context-constraint-rolebinding.yaml Outdated Show resolved Hide resolved
docs/helm-chart/production-guide.rst Outdated Show resolved Hide resolved
docs/helm-chart/production-guide.rst Outdated Show resolved Hide resolved
docs/helm-chart/production-guide.rst Outdated Show resolved Hide resolved
@nwalens
Add support for openshift security context constraints.
cc87310 
- Create a rolebinding for all required service accounts so they can use the anyuid SCC in openshift.

Signed-off-by: Ney walens De Mesquita <walens@gmail.com>
@nwalens
add extra option for security context constraints
684ef9a 
- Support openshift securityContextConstraints in order to allow pods to run with anyuid scc.
- The option is disabled by default since it is specific to openshift 4 setups

Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
Cleanup on scc rolebing
6999884 
- SCCs will always be cluster roles

Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
rename helm option and add further checks
e5521ec 
- simplify the parameter name
- add checks for service accounts so we do not bind the role to unexisting accounts

Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
include documentation for the added parameter
913d4ef 
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
update changelog
f06e5dd 
- Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
fix typo (extra space)
d06335b 
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
remove changelog
62d1e28 
- The feature will be released in a future release

Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
Check for service accounts for each of the components
fcb16b1 
- This will ensure that the correct values for each service account are properly checked

Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
Add documentation and improve reference to the new feature.
52acf61 
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
remove service accunt checks and fix documentation typos.
92f01af 
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens nwalens requested a review from potiuk September 20, 2021 11:12
@nwalens
Copy link
Contributor Author

nwalens commented Sep 20, 2021

@nwalens, I apologize, but looking again I think I was wrong with checking <component>.serviceAccount.create. I think we want them to be set regardless and the <component>.serviceAccountName templates handles the details. Sorry about that!

No worries at all. I have removed the checks as requested.

@jedcunningham
Copy link
Member

@nwalens, looks good. Can you add at least a basic test to make sure it is created when enabled and has the right kind. Ideally we cover the conditional stuff too, like "flower".

@kaxil
Copy link
Member

kaxil commented Sep 20, 2021

@nwalens Flower tests are at https://github.com/apache/airflow/blob/main/chart/tests/test_flower.py which you can use as an example

@potiuk
Copy link
Member

potiuk commented Sep 24, 2021

Approved - but the test mentioned by @jedcunningham should be added

@github-actions github-actions bot added the okay to merge It's ok to merge this PR as it does not require more tests label Sep 24, 2021
@github-actions
Copy link

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.

nwalens and others added 2 commits September 26, 2021 18:20
@nwalens
Merge branch 'apache:main' into main
453e03e
@nwalens
add unit test for SCC creation
ea1c4fe 
Signed-of-by: Ney Walens De Mesquita <walens@gmail.com>
@nwalens
Copy link
Contributor Author

nwalens commented Sep 26, 2021

@jedcunningham and @potiuk, sorry for the late reply.

I have just rebased and added the unit test.

Thanks a lot.

@potiuk
Copy link
Member

potiuk commented Sep 27, 2021

Some static/helm unit test failed

@potiuk potiuk merged commit 45e8191 into apache:main Sep 28, 2021
@boring-cyborg
Copy link

boring-cyborg bot commented Sep 28, 2021

Awesome work, congrats on your first merged pull request!

@potiuk
Copy link
Member

potiuk commented Sep 28, 2021

🎉 🎉 🎉 🎉 🎉 🎉

@nwalens
Copy link
Contributor Author

nwalens commented Sep 28, 2021

🎉 🎉 🎉 🎉 🎉 🎉

Thank you very much!

@kaxil kaxil mentioned this pull request Nov 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

@jedcunningham jedcunningham jedcunningham approved these changes

@ashb ashb Awaiting requested review from ashb

@dimberman dimberman Awaiting requested review from dimberman

@kaxil kaxil Awaiting requested review from kaxil

Assignees
No one assigned
Labels
area:helm-chart Airflow Helm Chart okay to merge It's ok to merge this PR as it does not require more tests
Projects
None yet
Milestone
Airflow Helm Chart 1.3.0
Development

Successfully merging this pull request may close these issues.

Allow airflow standard images to run in openshift utilising the official helm chart
4 participants
@nwalens @jedcunningham @kaxil @potiuk