You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2021/05/06 08:40:35 UTC

[airflow] branch master updated: Update KubeExecutor pod templates to allow access to IAM permissions (#15669)

This is an automated email from the ASF dual-hosted git repository.

ash pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/master by this push:
     new 1024c92  Update KubeExecutor pod templates to allow access to IAM permissions (#15669)
1024c92 is described below

commit 1024c922e603bb2e9d7de279761724609e4b4059
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Thu May 6 09:39:31 2021 +0100

    Update KubeExecutor pod templates to allow access to IAM permissions (#15669)
    
    If AWS's Identity-based IAM policies are in use on the cluster they
    token file will be mounted in to the pod (via the service account) and,
    prior to this change, will be owned by root.
    
    Specifying `fsGroup` makes the file group-readable by the `airflow`
    user.
    
    We already specify this in our helm chart, so this change is just for
    anyone looking at the docs.
---
 .../kubernetes/pod_template_file_examples/dags_in_image_template.yaml    | 1 +
 .../kubernetes/pod_template_file_examples/dags_in_volume_template.yaml   | 1 +
 airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml b/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
index 686d1d1..27a7e96 100644
--- a/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
@@ -65,6 +65,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:
diff --git a/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml b/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
index cf2daec..a290cf5 100644
--- a/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
@@ -62,6 +62,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:
diff --git a/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml b/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
index dee6a08..05d3609 100644
--- a/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
@@ -86,6 +86,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity: