From 3cd11dfa25210559cf310bc48df72ed25bf7b50f Mon Sep 17 00:00:00 2001 From: Ashok Kumar Srinivas <94833956+ashsrinivas-deloitte@users.noreply.github.com> Date: Wed, 4 Oct 2023 13:26:47 +0530 Subject: [PATCH 1/3] modified role template to allow SA to read k8s secrets in airflow ns Signed-off-by: Ashok Kumar Srinivas <94833956+ashsrinivas-deloitte@users.noreply.github.com> --- charts/airflow/templates/rbac/airflow-role.yaml | 10 ++++++++++ charts/airflow/values.yaml | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/charts/airflow/templates/rbac/airflow-role.yaml b/charts/airflow/templates/rbac/airflow-role.yaml index 3676f421..3b76395f 100644 --- a/charts/airflow/templates/rbac/airflow-role.yaml +++ b/charts/airflow/templates/rbac/airflow-role.yaml @@ -18,6 +18,16 @@ rules: - "get" - "list" {{- end }} +{{- if .Values.rbac.secrets }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - "get" + - "list" + - "watch" +{{- end }} - apiGroups: - "" resources: diff --git a/charts/airflow/values.yaml b/charts/airflow/values.yaml index 3712eb09..4a7cb55a 100644 --- a/charts/airflow/values.yaml +++ b/charts/airflow/values.yaml @@ -1610,6 +1610,11 @@ rbac: ## events: true + ## if the created RBAC Role has GET/LIST/WATCH on Secret resources + ## - this is a place holder to allow the implementors to over-write \ + ## if they want their service account deployed in airflow namespace to access secrets, default value set to false + secrets: false + ################################### ## CONFIG | Kubernetes ServiceAccount ################################### From ab376851c636e2af3a343a93132ee199c068affe Mon Sep 17 00:00:00 2001 From: Ashok Kumar Srinivas <94833956+ashsrinivas-deloitte@users.noreply.github.com> Date: Wed, 4 Oct 2023 13:58:53 +0530 Subject: [PATCH 2/3] feat: modified role template to allow SA to read k8s secrets in airflow ns Signed-off-by: Ashok Kumar Srinivas <94833956+ashsrinivas-deloitte@users.noreply.github.com> --- charts/airflow/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/airflow/values.yaml b/charts/airflow/values.yaml index 4a7cb55a..038ceed7 100644 --- a/charts/airflow/values.yaml +++ b/charts/airflow/values.yaml @@ -1613,6 +1613,7 @@ rbac: ## if the created RBAC Role has GET/LIST/WATCH on Secret resources ## - this is a place holder to allow the implementors to over-write \ ## if they want their service account deployed in airflow namespace to access secrets, default value set to false + ## secrets: false ################################### From cb659abac9e85972ede2ad65a80f2a0cc2033d4b Mon Sep 17 00:00:00 2001 From: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> Date: Tue, 30 Apr 2024 17:53:53 -0700 Subject: [PATCH 3/3] cleanup changes Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com> --- charts/airflow/README.md | 3 ++- charts/airflow/values.yaml | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/airflow/README.md b/charts/airflow/README.md index 9b992295..86bc834d 100644 --- a/charts/airflow/README.md +++ b/charts/airflow/README.md @@ -407,7 +407,8 @@ Parameter | Description | Default Parameter | Description | Default --- | --- | --- `rbac.create` | if Kubernetes RBAC resources are created | `true` -`rbac.events` | if the created RBAR role has GET/LIST access to Event resources | `false` +`rbac.events` | if the created RBAC Role has GET/LIST on Event resources | `true` +`rbac.secrets` | if the created RBAC Role has GET/LIST/WATCH on Secret resources | `false` diff --git a/charts/airflow/values.yaml b/charts/airflow/values.yaml index 038ceed7..bddddff8 100644 --- a/charts/airflow/values.yaml +++ b/charts/airflow/values.yaml @@ -1602,6 +1602,8 @@ rbac: ## if Kubernetes RBAC resources are created ## - these allow the service account to create/delete Pods in the airflow namespace, ## which is required for the KubernetesPodOperator() to function + ## - if `false`, you must create a custom Role and RoleBinding + ## for the ServiceAccount defined in `serviceAccount.name` ## create: true @@ -1611,8 +1613,7 @@ rbac: events: true ## if the created RBAC Role has GET/LIST/WATCH on Secret resources - ## - this is a place holder to allow the implementors to over-write \ - ## if they want their service account deployed in airflow namespace to access secrets, default value set to false + ## - [WARNING] when true, workers/dags can read Secrets in airflow's namespace ## secrets: false