search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.51k stars 14.14k forks source link

Openshift support is broken - some pods do not inherit global uid #34599

Closed MPParsley closed 11 months ago

MPParsley commented 1 year ago

Official Helm Chart version

1.10.0 (latest released)

Apache Airflow version

2.6.2

Kubernetes Version

1.25.11+1485cc9

Helm Chart configuration

uid: XXXXXX0000 gid: XXXXXX0000

Docker Image customizations

No response

What happened

An OpenShift Security Context Constraint (SCC) is triggered when installing the default helm chart. The statsd pod won't start and this error is thrown:

pods "my-airflow-statsd-67cd659785-" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "csi-smb-controller": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [XXXXXX0000, XXXXXX9999], provider restricted: .containers[0].runAsUser: Invalid value: 65534: must be in the ranges: [XXXXXX0000, XXXXXX9999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "rsync-anyuid": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "twistlock-scc": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "csi-smb-node": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "velero-privileged": Forbidden: not usable by user or serviceaccount]

Some pods (e.g. statsd, redis) don't inherit the helm uid properly and it's not clear where the value 65534 comes from? I assume a securityContext may be missing for statsd to inherit the global.

As a workaround I added a custom override for these pods:

statsd:
  securityContexts:
    pod:
      fsGroup: XXXXXX0000
      runAsGroup: XXXXXX0000
      runAsUser: XXXXXX0000

What you think should happen instead

The statsd pod should start properly.

How to reproduce

helm repo add apache-airflow https://airflow.apache.org/ helm install my-airflow apache-airflow/airflow --version 1.10.0 -f values.yml

values.yaml

uid: XXXXXX0000
gid: XXXXXX0000

Anything else

I'm on OpenShift

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

MPParsley commented 11 months ago

As @jedcunningham mentioned in https://github.com/apache/airflow/pull/34601#issuecomment-1735705088:

It's intentional that PgBouncer, Redis, and StatsD don't use the Airflow security context. This is consistent with other aspects as well, e.g. env.

So using the workaround as fix.