search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.85k stars 9.14k forks source link

[bitnami/airflow] Clone DAG into read only flle system #28824

Open Shesoff opened 1 month ago

Shesoff commented 1 month ago

Name and Version

bitnami/airflow:18.3.17

What architecture are you using?

amd64

What steps will reproduce the bug?

Install helm chart with git.dags.enabled=true on OKD (openshift) cluster.

Are you using any custom parameters or values?

global.compatibility.openshift.adaptSecurityContext: force
git.dags.repositories.[repository: my_private_repo_on_gitlab_self_hosted]

What is the expected behavior?

I expected that if I use global.compatibility.openshift.adaptSecurityContext containers get volumes with emptyDir: {} parameter for save DAGs there.

What do you see instead?

I see error Init:CreateContainerConfigError for reason: Error: container has runAsNonRoot and image will run as root (pod: "cloudapi-airflow-web-694dd76578-n7hjc_d-cloudapi(b5c896f5-540a-4bf6-bd29-52ab721f1be4)", container: clone-repositories)

Additional information

No response

Shesoff commented 1 month ago

This fixed with that parameters:

global.compatibility.openshift.adaptSecurityContext: auto
web.podSecurityContext.enabled: false
web.containerSecurityContext.enabled: false
scheduler.podSecurityContext.enabled: false
scheduler.containerSecurityContext.enabled: false
worker.podSecurityContext.enabled: false
worker.containerSecurityContext.enabled: false
metrics.podSecurityContext.enabled: false
metrics.containerSecurityContext.enabled: false

If I right understand global.compatibility.openshift.adaptSecurityContext: force it doesn't work correctly with openshift cluster and you need disable SecurityContext for all pods/containers.

javsalgar commented 1 month ago

The issue is that our bitnami/git container has USER 0 by default. The security context adaptations remove the runAsUser and runAsGroup sections of the security context. For some reason, it is causing some sort of incompatibility when enabling the security context and using a root container.

We may want to change the git container to non-root by default to avoid this issue.

Shesoff commented 1 month ago

We may want to change the git container to non-root by default to avoid this issue

It will awesome.