Fix Airflow 3 task log access with NetworkPolicies#65754
Merged
potiuk merged 1 commit intoApr 28, 2026
Conversation
henry3260
requested review from
bugraoz93,
hussein-awala,
jedcunningham and
jscheffl
as code owners
henry3260
force-pushed
the
airflow3-log-networkpolicy-api-server
branch
from
7f95efc to
e43e20d
Compare
jscheffl
approved these changes
Apr 24, 2026
Contributor
jscheffl
left a comment
jscheffl
left a comment
There was a problem hiding this comment.
Good catch. Some second maintainer review?
jscheffl
added
the
backport-to-chart/v1-2x-test
potiuk
added
the
ready for maintainer review
henry3260
force-pushed
the
airflow3-log-networkpolicy-api-server
branch
from
e43e20d to
c5fb422
Compare
potiuk
approved these changes
Apr 28, 2026
Contributor
Backport failed to create: chart/v1-2x-test. View the failure log Run detailsNote: As of Merging PRs targeted for Airflow 3.X In matter of doubt please ask in #release-management Slack channel.
You can attempt to backport this manually by running: cherry_picker 8b2ce00 chart/v1-2x-testThis should apply the commit to the chart/v1-2x-test branch and leave the commit in conflict state marking After you have resolved the conflicts, you can continue the backport process by running: cherry_picker --continueIf you don't have cherry-picker installed, see the installation guide. |
Contributor
|
@potiuk Are you adding the backport? |
1 task
This was referenced May 31, 2026
potiuk
added a commit
that referenced
this pull request
May 31, 2026
1 task
potiuk
added a commit
that referenced
this pull request
May 31, 2026
…67817) The 1.2x chart line supports both Airflow 2.11 (logs served by the webserver) and Airflow 3 (logs served by the api-server). #65754 unconditionally changed the scheduler/triggerer/worker NetworkPolicy log-ingress selectors to api-server, which would break task log access on Airflow 2.11 deployments. Choose the component based on .Values.airflowVersion via semverCompare (>=3.0.0 -> api-server, else webserver), matching how the chart already selects webserver vs api-server elsewhere. Tests now cover both Airflow versions.
1 task
29 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
In Airflow 3, task logs are fetched through the API server rather than the webserver.
The Helm chart still allowed ingress to the scheduler, triggerer, and worker log-serving ports only from pods labeled
component: webserver. WhennetworkPolicies.enabled=true, this can block the API server from reaching those log endpoints and break task log access in Airflow 3.Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.