[bitnami/airflow] Clone DAG into read only flle system

bitnami / charts

Bitnami Helm Charts

https://bitnami.com

Other

9.06k stars 9.23k forks source link

[bitnami/airflow] Clone DAG into read only flle system #28824

Open Shesoff opened 3 months ago

Shesoff commented 3 months ago

Name and Version

bitnami/airflow:18.3.17

What architecture are you using?

amd64

What steps will reproduce the bug?

Install helm chart with git.dags.enabled=true on OKD (openshift) cluster.

Are you using any custom parameters or values?

global.compatibility.openshift.adaptSecurityContext: force
git.dags.repositories.[repository: my_private_repo_on_gitlab_self_hosted]

What is the expected behavior?

I expected that if I use global.compatibility.openshift.adaptSecurityContext containers get volumes with emptyDir: {} parameter for save DAGs there.

What do you see instead?

I see error Init:CreateContainerConfigError for reason: Error: container has runAsNonRoot and image will run as root (pod: "cloudapi-airflow-web-694dd76578-n7hjc_d-cloudapi(b5c896f5-540a-4bf6-bd29-52ab721f1be4)", container: clone-repositories)

Additional information

No response

Shesoff commented 3 months ago

This fixed with that parameters:

global.compatibility.openshift.adaptSecurityContext: auto
web.podSecurityContext.enabled: false
web.containerSecurityContext.enabled: false
scheduler.podSecurityContext.enabled: false
scheduler.containerSecurityContext.enabled: false
worker.podSecurityContext.enabled: false
worker.containerSecurityContext.enabled: false
metrics.podSecurityContext.enabled: false
metrics.containerSecurityContext.enabled: false

If I right understand global.compatibility.openshift.adaptSecurityContext: force it doesn't work correctly with openshift cluster and you need disable SecurityContext for all pods/containers.

javsalgar commented 3 months ago

The issue is that our bitnami/git container has USER 0 by default. The security context adaptations remove the runAsUser and runAsGroup sections of the security context. For some reason, it is causing some sort of incompatibility when enabling the security context and using a root container.

We may want to change the git container to non-root by default to avoid this issue.

Shesoff commented 3 months ago

We may want to change the git container to non-root by default to avoid this issue

It will awesome.

juan131 commented 3 weeks ago

@Shesoff could you give a try to latest 21.0.0 major version? Please note you'll have adapt your values slightly according to what's documented in the link below:

https://github.com/bitnami/charts/tree/main/bitnami/airflow#to-2100

This new version doesn't rely on the bitnami/git container any longer and uses the same Bitnami Airflow container instead, hence it's likely you won't face the issues any longer.