You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by di...@apache.org on 2020/06/25 19:33:20 UTC
[airflow] 02/02: [AIRFLOW-5641] Support running git sync container
as root (#6312)
This is an automated email from the ASF dual-hosted git repository.
dimberman pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 6010ee2f8aeea70cb24a3b4a7870ffc814261a09
Author: Qingping Hou <qp...@scribd.com>
AuthorDate: Tue Oct 15 03:58:31 2019 -0700
[AIRFLOW-5641] Support running git sync container as root (#6312)
(cherry picked from commit 133085eb47e04683ce3dca52b967aa41f8139613)
---
airflow/executors/kubernetes_executor.py | 5 +++--
airflow/kubernetes/worker_configuration.py | 2 +-
tests/kubernetes/test_worker_configuration.py | 15 +++++++++++++++
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/airflow/executors/kubernetes_executor.py b/airflow/executors/kubernetes_executor.py
index 74e504e..e3be2ef 100644
--- a/airflow/executors/kubernetes_executor.py
+++ b/airflow/executors/kubernetes_executor.py
@@ -20,6 +20,7 @@ import json
import multiprocessing
import time
from queue import Empty
+from typing import Union
from uuid import uuid4
import kubernetes
@@ -210,10 +211,10 @@ class KubeConfig:
# pod security context items should return integers
# and only return a blank string if contexts are not set.
- def _get_security_context_val(self, scontext):
+ def _get_security_context_val(self, scontext: str) -> Union[str, int]:
val = conf.get(self.kubernetes_section, scontext)
if not val:
- return 0
+ return ""
else:
return int(val)
diff --git a/airflow/kubernetes/worker_configuration.py b/airflow/kubernetes/worker_configuration.py
index 3464e81..820763b 100644
--- a/airflow/kubernetes/worker_configuration.py
+++ b/airflow/kubernetes/worker_configuration.py
@@ -163,7 +163,7 @@ class WorkerConfiguration(LoggingMixin):
if self.kube_config.git_sync_run_as_user != "":
init_containers.security_context = k8s.V1SecurityContext(
- run_as_user=self.kube_config.git_sync_run_as_user or 65533
+ run_as_user=self.kube_config.git_sync_run_as_user
) # git-sync user
return [init_containers]
diff --git a/tests/kubernetes/test_worker_configuration.py b/tests/kubernetes/test_worker_configuration.py
index 74009a1..73b3f20 100644
--- a/tests/kubernetes/test_worker_configuration.py
+++ b/tests/kubernetes/test_worker_configuration.py
@@ -305,6 +305,21 @@ class TestKubernetesWorkerConfiguration(unittest.TestCase):
self.assertIsNone(init_containers[0].security_context)
+ def test_init_environment_using_git_sync_run_as_user_root(self):
+ # Tests if git_syn_run_as_user is '0', securityContext is created with
+ # the right uid
+
+ self.kube_config.dags_volume_claim = None
+ self.kube_config.dags_volume_host = None
+ self.kube_config.dags_in_image = None
+ self.kube_config.git_sync_run_as_user = 0
+
+ worker_config = WorkerConfiguration(self.kube_config)
+ init_containers = worker_config._get_init_containers()
+ self.assertTrue(init_containers) # check not empty
+
+ self.assertEqual(0, init_containers[0].security_context.run_as_user)
+
def test_make_pod_run_as_user_0(self):
# Tests the pod created with run-as-user 0 actually gets that in it's config
self.kube_config.worker_run_as_user = 0