You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/03/11 14:43:03 UTC
[GitHub] [airflow] flipstone42 opened a new pull request #22182: Add securityContext config for Redis to helm chart
flipstone42 opened a new pull request #22182:
URL: https://github.com/apache/airflow/pull/22182
- Add securityContext templating to statefulSet manifest
- Add securityContext commented-out to values.yaml
- Add securityContext section to values.schema.json
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jedcunningham commented on a change in pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
jedcunningham commented on a change in pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#discussion_r838022039
##########
File path: chart/values.yaml
##########
@@ -1328,6 +1328,11 @@ redis:
affinity: {}
tolerations: []
+ # When not set, the values defined in the global securityContext will be used
+ securityContext: {}
+ # runAsUser: 50000
Review comment:
```suggestion
# runAsUser: 999
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] pgvishnuram commented on pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
pgvishnuram commented on pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#issuecomment-1081651890
@jedcunningham should we also add in redis sts in test_check_local_setting
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jedcunningham commented on a change in pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
jedcunningham commented on a change in pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#discussion_r838022558
##########
File path: chart/values.yaml
##########
@@ -1328,6 +1328,11 @@ redis:
affinity: {}
tolerations: []
+ # When not set, the values defined in the global securityContext will be used
Review comment:
I'll add that using `999` as the default does change the behavior as it runs as `redis` not `root`, but that worked for me even if the redis db was owned as `root`. If we want to be extra safe though, we might consider defaulting to `0` instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#issuecomment-1065176587
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
Here are some useful points:
- Pay attention to the quality of your code (flake8, mypy and type annotations). Our [pre-commits]( https://github.com/apache/airflow/blob/main/STATIC_CODE_CHECKS.rst#prerequisites-for-pre-commit-hooks) will help you with that.
- In case of a new feature add useful documentation (in docstrings or in `docs/` directory). Adding a new operator? Check this short [guide](https://github.com/apache/airflow/blob/main/docs/apache-airflow/howto/custom-operator.rst) Consider adding an example DAG that shows how users should use it.
- Consider using [Breeze environment](https://github.com/apache/airflow/blob/main/BREEZE.rst) for testing locally, itβs a heavy docker but it ships with a working Airflow and a lot of integrations.
- Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
- Please follow [ASF Code of Conduct](https://www.apache.org/foundation/policies/conduct) for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
- Be sure to read the [Airflow Coding style]( https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#coding-style-and-best-practices).
Apache Airflow is a community-driven project and together we are making it better π.
In case of doubts contact the developers at:
Mailing List: dev@airflow.apache.org
Slack: https://s.apache.org/airflow-slack
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] flipstone42 commented on pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
flipstone42 commented on pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#issuecomment-1084945423
Apologies for not following up sooner @jedcunningham - would you like me to implement the changes you suggest here, or close this PR in favour of #22663?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jedcunningham commented on pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
jedcunningham commented on pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#issuecomment-1084964473
@flipstone42, no worries! Yeah go ahead and make them here. I don't want to swipe your first commit, but I do want to get this done for the next chart release π.
There was one other test change I had added, so you can use my PR as an example.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] flipstone42 commented on pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
flipstone42 commented on pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#issuecomment-1086880169
@jedcunningham I've implemented your suggested changes, and defaulted the uid of the redis statefulset to 0 for backwards-compatibility π
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] jedcunningham commented on a change in pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
jedcunningham commented on a change in pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#discussion_r837797114
##########
File path: chart/values.schema.json
##########
@@ -3764,6 +3764,19 @@
}
}
}
+ },
Review comment:
```suggestion
},
"uid": {
"description": "Redis run as user parameter.",
"type": "integer",
"default": 999
},
```
Which means we also need `uid`.
##########
File path: chart/templates/redis/redis-statefulset.yaml
##########
@@ -22,6 +22,7 @@
{{- $nodeSelector := or .Values.redis.nodeSelector .Values.nodeSelector }}
{{- $affinity := or .Values.redis.affinity .Values.affinity }}
{{- $tolerations := or .Values.redis.tolerations .Values.tolerations }}
+{{- $securityContext := include "airflowSecurityContext" (list . .Values.redis) }}
Review comment:
```suggestion
{{- $securityContext := include "localSecurityContext" .Values.redis }}
```
This should use `localSecurityContext` instead. We don't want the global Airflow security context to apply to Redis.
##########
File path: chart/values.schema.json
##########
@@ -3764,6 +3764,19 @@
}
}
}
+ },
+ "securityContext": {
+ "description": "Security context for the cleanup job pod. If not set, the values from `securityContext` will be used.",
+ "type": "object",
+ "$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+ "default": {},
+ "examples": [
+ {
+ "runAsUser": 50000,
Review comment:
```suggestion
"runAsUser": 999,
```
This will be a better example, as this is the uid of the `redis` user.
##########
File path: chart/values.yaml
##########
@@ -1328,6 +1328,11 @@ redis:
affinity: {}
tolerations: []
+ # When not set, the values defined in the global securityContext will be used
Review comment:
```suggestion
uid: 999
# If not set, `redis.uid` will be used
```
##########
File path: tests/charts/test_security_context.py
##########
@@ -33,6 +33,7 @@ def test_check_deployments_and_jobs(self):
},
show_only=[
"templates/flower/flower-deployment.yaml",
+ "templates/redis/redis-statefulset.yaml",
Review comment:
Instead, we should refactor `test_check_statsd_uid` to be like this:
```
# Test containerSecurity priority over uid under components using localSecurityContext
def test_check_local_uid(self):
component_contexts = {"uid": 3000, "securityContext": {"runAsUser": 7000}}
docs = render_chart(
values={
"redis": {**component_contexts},
"statsd": {"enabled": True, **component_contexts},
},
show_only=[
"templates/statsd/statsd-deployment.yaml",
"templates/redis/redis-statefulset.yaml",
],
)
for doc in docs:
assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", doc)
```
##########
File path: tests/charts/test_security_context.py
##########
@@ -33,6 +33,7 @@ def test_check_deployments_and_jobs(self):
},
show_only=[
"templates/flower/flower-deployment.yaml",
+ "templates/redis/redis-statefulset.yaml",
Review comment:
```suggestion
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] flipstone42 commented on a change in pull request #22182: Add securityContext config for Redis to helm chart
Posted by GitBox <gi...@apache.org>.
flipstone42 commented on a change in pull request #22182:
URL: https://github.com/apache/airflow/pull/22182#discussion_r841229348
##########
File path: chart/values.yaml
##########
@@ -1328,6 +1328,11 @@ redis:
affinity: {}
tolerations: []
+ # When not set, the values defined in the global securityContext will be used
Review comment:
Probably safer to default to 0 and make a note that this is for backwards-compatibility
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org