search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.81k stars 14.24k forks source link

Requests/limits in custom-values.yaml ignored #35497

Closed dabukster closed 10 months ago

dabukster commented 11 months ago

Official Helm Chart version

1.11.0 (latest released)

Apache Airflow version

8.8.0

Kubernetes Version

1.25.11

Helm Chart configuration

No response

Docker Image customizations

No response

What happened

I want to install Airflow on a kubernetes cluster. Background, the cluster is provided by our department, so I can't change anything about the settings.

When I run helm install ... --values custom-values.yaml ... I get for all components the same error message (cf. below), even though I tried to add requests/limits entries to the resources sections and runAsNonRoot in securityContext sections in a custom-values.yaml. But it seems these values are ignored.

Question: How can I provide these values or how can I adjust the configuration to get installation running?

admission webhook "validate.kyverno.svc-fail" denied the request:

policy Deployment/i8l-dev/airflow-cluster-web for resource violations: ** the same for scheduler, postgres. etc.**

limit-pod-resources:
  autogen-limit-pod-resources: 'validation error: CPU and memory resource requests
    and limits have an upper limit of 10800 RAM and 3586 millicores. rule autogen-limit-pod-resources
    failed at path /spec/template/spec/initContainers/0/resources/limits/'
require-run-as-nonroot:
  autogen-run-as-non-root: 'validation error: Running as root is not allowed. Either
    the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields
    spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot,
    and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`.
    rule autogen-run-as-non-root[0] failed at path /spec/template/spec/securityContext/runAsNonRoot/
    rule autogen-run-as-non-root[1] failed at path /spec/template/spec/initContainers/0/securityContext/runAsNonRoot/'

Comment: The same issue was also raised for the community helm chart, but got never addressed as well

What you think should happen instead

The helm chart should be installed

How to reproduce

Install on a kubernetes cluster with kyverno in place that enforces the restrictions returned by the error messages.

Anything else

No response

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 11 months ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

ylnsnv commented 11 months ago

Can you please provide us with the custom-values.yaml you're using? Or at least, what you think is, the relevant part out of it?

dabukster commented 11 months ago

Hi,

I've attacht the yaml as txt. But I'd say nothing special.

custom-values_yaml.txt

romsharon98 commented 10 months ago

It's look like a problem in the first initContainer in each pod, that mean the wait-for-airflow-migrations. I see that u added dbMigrations in your values (just be notice the comments for it are wrong, you are describing there the worker) therefore I cannot template your chart. Can you run helm templateand upload the result or add the your chart here?

dabukster commented 10 months ago

I just added the dbMigrations section as the k8s cluster complained about it. Thus, just remove it. But I assume it is due to the configuration of our k8s cluster, as I just use the standard configuration and added the resource limits.  Am 04.12.2023 um 18:52 schrieb rom sharon @.***>: It's look like a problem in the first initContainer in each pod, that mean the wait-for-airflow-migrations. I see that u added dbMigrations in your values (just be notice the comments for it are wrong, you are describing there the worker) therefore I cannot template your chart. Can you run helm template and upload the result or add the your chart here?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has been open for 14 days with no response from the author. It will be closed in next 7 days if no further activity occurs from the issue author.

github-actions[bot] commented 10 months ago

This issue has been closed because it has not received response from the issue author.