You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/09/20 09:36:27 UTC
[GitHub] [airflow] ChrisFraun commented on a diff in pull request #24588: add: container securityContext not available in podSecurityContext

ChrisFraun commented on code in PR #24588:
URL: https://github.com/apache/airflow/pull/24588#discussion_r975118361


##########
chart/templates/_helpers.yaml:
##########
@@ -755,33 +761,68 @@ runAsUser: {{ .uid }}
 
 {{/*
 Set the default value for workers chown for persistent storage
-If no value is passed for securityContext or <node>.securityContext, defaults to global uid and gid.
+If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid.
 The template looks for `runAsUser` and `fsGroup` specifically, any other parameter will be ignored.
 
-    +------------------------+      +-----------------+      +-------------------------+
-    | <node>.securityContext |  ->  | securityContext |  ->  | Values.uid + Values.gid |
-    +------------------------+      +-----------------+      +-------------------------+
+    +------------------------+           +-----------------+    +------------------------+           +-----------------+           +----------------------+
+    | <node>.securityContexts.pod |  ->  | securityContexts.pod | <node>.securityContexts.pod |  ->  | securityContexts |  ->  | Values.uid + Values.gid |
+    +------------------------+           +-----------------+    +------------------------+           +-----------------+           +----------------------+
 
-Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContext,
-any extra values set to securityContext or uid+gid will be ignored.
+Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod,
+any extra values set to securityContexts or uid+gid will be ignored.
 
 The template can be called like so:
-   include "airflowSecurityContextIds" (list . .Values.workers)
+   include "localPodSecurityContextsIds" (list . .Values.webserver)
 
 Where `.` is the global variables scope and `.Values.workers` the local variables scope for the workers template.
 */}}
-{{- define "airflowSecurityContextIds" -}}
+{{- define "airflowPodSecurityContextsIds" -}}
   {{- $ := index . 0 -}}
   {{- with index . 1 }}
-    {{- if .securityContext -}}
-{{ pluck "runAsUser" .securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContext | first | default $.Values.gid }}
+    {{- if .securityContexts.pod -}}
+{{ pluck "runAsUser" .securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContexts.pod | first | default $.Values.gid }}
+    {{- else if $.Values.securityContext -}}
+{{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }}
+    {{- else if $.Values.securityContexts.pod -}}
+{{ pluck "runAsUser" $.Values.securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContexts.pod | first | default $.Values.gid }}
     {{- else if $.Values.securityContext -}}
 {{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }}
     {{- else -}}
 {{ $.Values.uid }}:{{ $.Values.gid }}
     {{- end -}}
   {{- end -}}
 {{- end -}}
+
+{{/*
+Set the default value for container securityContext
+If no value is passed for securityContexts.container or <node>.securityContexts.container, defaults to deny privileges escallation and dropping all POSIX capabilities.
+
+    +------------------------+                +-----------------+                +-------------------------+
+    | <node>.securityContexts.container |  ->  | securityContexts.container |  ->  | allowPrivilegesEscalation: false, capabilities.drop: [ALL]|
+    +------------------------+                +-----------------+                +-------------------------+
+
+
+The template can be called like so:
+   include "airflowContainerSecurityContext" (list . .Values.statsd)
+
+Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template.
+*/}}
+{{- define "airflowContainerSecurityContext" -}}

Review Comment:
   I added it to the charts



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org