You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/01/28 18:54:02 UTC

[GitHub] [airflow] DerekHeldtWerle commented on pull request #11769: Update charts to follow Helm RBAC best practices

DerekHeldtWerle commented on pull request #11769:
URL: https://github.com/apache/airflow/pull/11769#issuecomment-769299624


   @mik-laj @jaydesl, I've rebased this PR with master [here](https://github.com/DerekHeldtWerle/airflow/tree/fix/rbac) and added all of the additional requirements needed to get this chart deployed when working in environments where users have the [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) admission controller enabled. 
   
   When enabled, _every_ pod in the cluster must have a serviceaccount associated with it that is then binded to a psp. By having the option to set the serviceaccount for every potential pod allows teams to create a single service account mapped to a psp and set that for every pod. Long term, adding psp's at a per service level (e.g. airflow, flower, pgbouncer) would be the best path forward, but this is an initial step towards supporting that. 
   
   I'm happy to open up a new PR that includes this PR's changes and more, but can wait until this PR is merged and add my changes after the fact if that is deemed more appropriate. 
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org