search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
37.12k stars 14.31k forks source link

Provide access privilege required for `cncf.kubernetes` operators/executors #40210

Open pykenny opened 5 months ago

pykenny commented 5 months ago

What do you see as an issue?

In cncf-kubernetes provider's operator section, it describes how each operator work, but does not mention what type of access privileges are required to run these operators.

Same kind of details may be needed for the two types of Kubernetes executors as well.

Solving the problem

Provide privileges on Kubernetes resource required for each operator.

For instance, in 3rd-party airflow_kubernetes_job_operator package, it lists out all the privileges needed to gain full functionality of their operator in readme, written in RBAC format:

Anything else

No response

Are you willing to submit PR?

Code of Conduct

potiuk commented 5 months ago

Sure. Marked it as good-first-issue and you are free to contribute it, otherwise it will have to wait for someone to volunteer, pick it up and contribute.

topherinternational commented 3 months ago

@pykenny A good start might be the k8s permissions in the Helm chart, e.g. https://github.com/apache/airflow/blob/providers-cncf-kubernetes/8.3.4/chart/templates/rbac/pod-launcher-role.yaml (and others in that directory).

It's not exactly the k8s operators, but it should be a similar perms profile as what is needed to launch a task pod from the k8s executor.