Open DjVinnii opened 3 weeks ago
I believe Airflow scheduler does not require the token - it requires it when K8S executor is used, but when you use local or celery executor it should work fine
I am not sure however what was the intetion - it's been added everywhere in https://github.com/apache/airflow/pull/32808 and maybe @amoghrajesh can comment on it, but maybe you already know how to change it - seems that you want to submit a PR for it?
I believe Airflow scheduler does not require the token - it requires it when K8S executor is used, but when you use local or celery executor it should work fine
Ah yes, I forgot to mention that I'm indeed using the K8S executor. I have to disable to K8S Service Account token automount due to a cluster policy and suspect that this might be the case for more users.
I am not sure however what was the intetion - it's been added everywhere in #32808 and maybe @amoghrajesh can comment on it, but maybe you already know how to change it - seems that you want to submit a PR for it?
I am indeed willing to submit a PR, however I don't know what the best way will be to solve this. Maybe @amoghrajesh has some insights on this.
@potiuk @DjVinnii I checked the issue. The fix was to complete this one https://github.com/apache/airflow/issues/30722. The idea was to not mount the service account tokens to reduce the security risk of the token being exposed if a pod is compromised.
On further reading, I see that the token is always needed for scheduler and if this is set to false, the serviceaccount token will not be automatically mounted into the pods that use this service account (scheduler for example). The scheduler will not be able to authenticate to the K8s API, which is needed for tasks like creating and managing pods.
I am indeed willing to submit a PR, however I don't know what the best way will be to solve this. Maybe @amoghrajesh has some insights on this.
@DjVinnii I think the most ideal fix here would be to remove the option from the scheduler service account. It can be optional for other pods but it is always supposed to be true for scheduler.
@DjVinnii feel free to submit a PR that implements this logic
Official Helm Chart version
1.15.0 (latest released)
Apache Airflow version
2.9.3
Kubernetes Version
1.29.7
Helm Chart configuration
No response
Docker Image customizations
No response
What happened
The Airflow scheduler requires Kubernetes API access. When disabling automountServiceAccountToken, the API token is not mounted in the pod(s) resulting in a CrashLoopBackOff with the following error:
What you think should happen instead
In my opinion the Airflow Helm Chart should provision the token so the scheduler sucessfully runs on the Kubernetes cluster.
How to reproduce
Set
scheduler.serviceAccount.automountServiceAccountToken: false
Anything else
No response
Are you willing to submit PR?
Code of Conduct