You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Mingjie LI (JIRA)" <ji...@apache.org> on 2019/06/26 14:18:00 UTC
[jira] [Created] (AIRFLOW-4856) KubernetesExecutor's git
initContainer run always as user 65533
Mingjie LI created AIRFLOW-4856:
-----------------------------------
Summary: KubernetesExecutor's git initContainer run always as user 65533
Key: AIRFLOW-4856
URL: https://issues.apache.org/jira/browse/AIRFLOW-4856
Project: Apache Airflow
Issue Type: Bug
Components: executors
Affects Versions: 1.10.3
Reporter: Mingjie LI
when try to use KubernetesExecutor with git sync functionality,
i got this error :
[2019-06-26 14:09:37,428] \{kubernetes_executor.py:745} ERROR - ApiException when attempting to run task, re-queueing.
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 742, in sync
self.kube_scheduler.run_next(task)
File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 420, in run_next
self.launcher.run_pod_async(pod)
File "/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 57, in run_pod_async
resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6115, in create_namespaced_pod
(data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6206, in create_namespaced_pod_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 334, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 168, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
body=body)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 266, in POST
body=body)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 222, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict(\{'Cache-Control': 'no-store', 'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT', 'Content-Length': '500'})
HTTP response body: \{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 65533: UID on container git-sync-clone does not match required range. Found 65533, required min: 1000000000 max: 1000009999]","reason":"Forbidden","details":\{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}
even the run_as_user options has been set in the cfg file as below
[kubernetes]
run_as_user = 1000000000
[https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128]
from here we can see the init container is always running as user 65533.
maybe we can use self.kube_config.worker_run_as_user instead.
Br,
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)