You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by di...@apache.org on 2020/06/25 19:54:29 UTC
[airflow] 01/01: [AIRFLOW-5641] Support running git sync container
as root (#6312)
This is an automated email from the ASF dual-hosted git repository.
dimberman pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit ff96b8ec82af4a8373c44309008cac1991c82f03
Author: Qingping Hou <qp...@scribd.com>
AuthorDate: Tue Oct 15 03:58:31 2019 -0700
[AIRFLOW-5641] Support running git sync container as root (#6312)
(cherry picked from commit 133085eb47e04683ce3dca52b967aa41f8139613)
---
airflow/executors/kubernetes_executor.py | 2 +-
airflow/kubernetes/worker_configuration.py | 2 +-
tests/executors/test_kubernetes_executor.py | 2 +-
tests/kubernetes/test_worker_configuration.py | 15 +++++++++++++++
4 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/airflow/executors/kubernetes_executor.py b/airflow/executors/kubernetes_executor.py
index 74e504e..6ec2660 100644
--- a/airflow/executors/kubernetes_executor.py
+++ b/airflow/executors/kubernetes_executor.py
@@ -213,7 +213,7 @@ class KubeConfig:
def _get_security_context_val(self, scontext):
val = conf.get(self.kubernetes_section, scontext)
if not val:
- return 0
+ return ""
else:
return int(val)
diff --git a/airflow/kubernetes/worker_configuration.py b/airflow/kubernetes/worker_configuration.py
index 3464e81..820763b 100644
--- a/airflow/kubernetes/worker_configuration.py
+++ b/airflow/kubernetes/worker_configuration.py
@@ -163,7 +163,7 @@ class WorkerConfiguration(LoggingMixin):
if self.kube_config.git_sync_run_as_user != "":
init_containers.security_context = k8s.V1SecurityContext(
- run_as_user=self.kube_config.git_sync_run_as_user or 65533
+ run_as_user=self.kube_config.git_sync_run_as_user
) # git-sync user
return [init_containers]
diff --git a/tests/executors/test_kubernetes_executor.py b/tests/executors/test_kubernetes_executor.py
index 2b3ed17..bf7bc56 100644
--- a/tests/executors/test_kubernetes_executor.py
+++ b/tests/executors/test_kubernetes_executor.py
@@ -133,7 +133,7 @@ class TestKubeConfig(unittest.TestCase):
('kubernetes', 'git_ssh_known_hosts_configmap_name'): 'airflow-configmap',
('kubernetes', 'git_ssh_key_secret_name'): 'airflow-secrets',
('kubernetes_annotations', "iam.com/role"): "role-arn",
- ('kubernetes_annotations', "other/annotation"): "value"
+ ('kubernetes_annotations', "other/annotation"): "value"
})
def test_kube_config_worker_annotations_properly_parsed(self):
annotations = KubeConfig().kube_annotations
diff --git a/tests/kubernetes/test_worker_configuration.py b/tests/kubernetes/test_worker_configuration.py
index 74009a1..73b3f20 100644
--- a/tests/kubernetes/test_worker_configuration.py
+++ b/tests/kubernetes/test_worker_configuration.py
@@ -305,6 +305,21 @@ class TestKubernetesWorkerConfiguration(unittest.TestCase):
self.assertIsNone(init_containers[0].security_context)
+ def test_init_environment_using_git_sync_run_as_user_root(self):
+ # Tests if git_syn_run_as_user is '0', securityContext is created with
+ # the right uid
+
+ self.kube_config.dags_volume_claim = None
+ self.kube_config.dags_volume_host = None
+ self.kube_config.dags_in_image = None
+ self.kube_config.git_sync_run_as_user = 0
+
+ worker_config = WorkerConfiguration(self.kube_config)
+ init_containers = worker_config._get_init_containers()
+ self.assertTrue(init_containers) # check not empty
+
+ self.assertEqual(0, init_containers[0].security_context.run_as_user)
+
def test_make_pod_run_as_user_0(self):
# Tests the pod created with run-as-user 0 actually gets that in it's config
self.kube_config.worker_run_as_user = 0