You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "MPParsley (via GitHub)" <gi...@apache.org> on 2023/09/25 11:17:27 UTC
[GitHub] [airflow] MPParsley opened a new issue, #34599: Openshift support is broken
MPParsley opened a new issue, #34599:
URL: https://github.com/apache/airflow/issues/34599
### Official Helm Chart version
1.10.0 (latest released)
### Apache Airflow version
2
### Kubernetes Version
1.25.11+1485cc9
### Helm Chart configuration
uid: XXXXXX0000
gid: XXXXXX0000
### Docker Image customizations
_No response_
### What happened
An OpenShift Security Context Constraint (SCC) is triggered when installing the default helm chart.
The statsd pod won't start and this error is thrown:
```
pods "my-airflow-statsd-67cd659785-" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "csi-smb-controller": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [XXXXXX0000, XXXXXX9999], provider restricted: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [XXXXXX0000, XXXXXX9999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "rsync-anyuid": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": For
bidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "twistlock-scc": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "csi-smb-node": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "velero-privileged": Forbidden: not usable by user or serviceaccount]
```
The statsd pod isn't inheriting the helm uid properly and it's not clear where the value 65534 comes from?
I assume a securityContext may be missing for statsd to inherit the global.
As a workaround I added a custom override for the statsd pod:
```
[13:12] Segers Maarten
'k ga eens proberen met een custom config voor die ene container:
statsd:
securityContexts
pod:
fsGroup: XXXXXX0000
runAsGroup: XXXXXX0000
runAsUser: XXXXXX0000
```
### What you think should happen instead
The statsd pod should start properly.
### How to reproduce
helm repo add apache-airflow https://airflow.apache.org/
helm install my-airflow apache-airflow/airflow --version 1.10.0 -f values.yml
values.yaml
```
uid: XXXXXX0000
gid: XXXXXX0000
```
### Anything else
I'm on OpenShift
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Openshift support is broken - some pods do not inherit global uid [airflow]
Posted by "MPParsley (via GitHub)" <gi...@apache.org>.
MPParsley commented on issue #34599:
URL: https://github.com/apache/airflow/issues/34599#issuecomment-1786955073
As @jedcunningham mentioned in https://github.com/apache/airflow/pull/34601#issuecomment-1735705088:
> It's intentional that PgBouncer, Redis, and StatsD don't use the Airflow security context. This is consistent with other aspects as well, e.g. `env`.
So using the workaround as fix.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #34599: Openshift support is broken
Posted by "boring-cyborg[bot] (via GitHub)" <gi...@apache.org>.
boring-cyborg[bot] commented on issue #34599:
URL: https://github.com/apache/airflow/issues/34599#issuecomment-1733463686
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Openshift support is broken - some pods do not inherit global uid [airflow]
Posted by "MPParsley (via GitHub)" <gi...@apache.org>.
MPParsley closed issue #34599: Openshift support is broken - some pods do not inherit global uid
URL: https://github.com/apache/airflow/issues/34599
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org