[airflow] 01/01: [AIRFLOW-5641] Support running git sync container as root (#6312)

[di...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

dimberman pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit ff96b8ec82af4a8373c44309008cac1991c82f03
Author: Qingping Hou <qp...@scribd.com>
AuthorDate: Tue Oct 15 03:58:31 2019 -0700

    [AIRFLOW-5641] Support running git sync container as root (#6312)
    
    (cherry picked from commit 133085eb47e04683ce3dca52b967aa41f8139613)
---
 airflow/executors/kubernetes_executor.py      |  2 +-
 airflow/kubernetes/worker_configuration.py    |  2 +-
 tests/executors/test_kubernetes_executor.py   |  2 +-
 tests/kubernetes/test_worker_configuration.py | 15 +++++++++++++++
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/airflow/executors/kubernetes_executor.py b/airflow/executors/kubernetes_executor.py
index 74e504e..6ec2660 100644
--- a/airflow/executors/kubernetes_executor.py
+++ b/airflow/executors/kubernetes_executor.py
@@ -213,7 +213,7 @@ class KubeConfig:
     def _get_security_context_val(self, scontext):
         val = conf.get(self.kubernetes_section, scontext)
         if not val:
-            return 0
+            return ""
         else:
             return int(val)
 
diff --git a/airflow/kubernetes/worker_configuration.py b/airflow/kubernetes/worker_configuration.py
index 3464e81..820763b 100644
--- a/airflow/kubernetes/worker_configuration.py
+++ b/airflow/kubernetes/worker_configuration.py
@@ -163,7 +163,7 @@ class WorkerConfiguration(LoggingMixin):
 
         if self.kube_config.git_sync_run_as_user != "":
             init_containers.security_context = k8s.V1SecurityContext(
-                run_as_user=self.kube_config.git_sync_run_as_user or 65533
+                run_as_user=self.kube_config.git_sync_run_as_user
             )  # git-sync user
 
         return [init_containers]
diff --git a/tests/executors/test_kubernetes_executor.py b/tests/executors/test_kubernetes_executor.py
index 2b3ed17..bf7bc56 100644
--- a/tests/executors/test_kubernetes_executor.py
+++ b/tests/executors/test_kubernetes_executor.py
@@ -133,7 +133,7 @@ class TestKubeConfig(unittest.TestCase):
         ('kubernetes', 'git_ssh_known_hosts_configmap_name'): 'airflow-configmap',
         ('kubernetes', 'git_ssh_key_secret_name'): 'airflow-secrets',
         ('kubernetes_annotations', "iam.com/role"): "role-arn",
-        ('kubernetes_annotations', "other/annotation"):  "value"
+        ('kubernetes_annotations', "other/annotation"): "value"
     })
     def test_kube_config_worker_annotations_properly_parsed(self):
         annotations = KubeConfig().kube_annotations
diff --git a/tests/kubernetes/test_worker_configuration.py b/tests/kubernetes/test_worker_configuration.py
index 74009a1..73b3f20 100644
--- a/tests/kubernetes/test_worker_configuration.py
+++ b/tests/kubernetes/test_worker_configuration.py
@@ -305,6 +305,21 @@ class TestKubernetesWorkerConfiguration(unittest.TestCase):
 
         self.assertIsNone(init_containers[0].security_context)
 
+    def test_init_environment_using_git_sync_run_as_user_root(self):
+        # Tests if git_syn_run_as_user is '0', securityContext is created with
+        # the right uid
+
+        self.kube_config.dags_volume_claim = None
+        self.kube_config.dags_volume_host = None
+        self.kube_config.dags_in_image = None
+        self.kube_config.git_sync_run_as_user = 0
+
+        worker_config = WorkerConfiguration(self.kube_config)
+        init_containers = worker_config._get_init_containers()
+        self.assertTrue(init_containers)  # check not empty
+
+        self.assertEqual(0, init_containers[0].security_context.run_as_user)
+
     def test_make_pod_run_as_user_0(self):
         # Tests the pod created with run-as-user 0 actually gets that in it's config
         self.kube_config.worker_run_as_user = 0