Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow airflow standard images to run in openshift utilising the official helm chart #18136

Closed
2 tasks done
nwalens opened this issue Sep 10, 2021 · 5 comments · Fixed by #18147
Closed
2 tasks done

Allow airflow standard images to run in openshift utilising the official helm chart #18136

nwalens opened this issue Sep 10, 2021 · 5 comments · Fixed by #18147
Assignees
@nwalens
Labels
area:helm-chart Airflow Helm Chart kind:feature Feature Requests

Comments

@nwalens
Copy link
Contributor

nwalens commented Sep 10, 2021

Description

Airflow helm chart is very powerful and configurable, however in order to run it in a on-premises openshift 4 environment, one must manually create security context constraints or extra RBAC rules in order to permit the pods to start with arbitrary user ids.

Use case/motivation

I would like to be able to run Airflow using the provided helmchart in a on-premises Openshift 4 installation.

Related issues

No response

Are you willing to submit a PR?

  • Yes I am willing to submit a PR!

Code of Conduct
@nwalens nwalens added the kind:feature Feature Requests label Sep 10, 2021
@boring-cyborg
Copy link

boring-cyborg bot commented Sep 10, 2021

Thanks for opening your first issue here! Be sure to follow the issue template!

@potiuk
Copy link
Member

potiuk commented Sep 10, 2021

Good Idea. While the Airflow Official Image supports Open-Shift arbitrary user, the Charts might indeed need some modifications to be able to support it out-of-the-box cc: @jedcunningham ?

@potiuk
Copy link
Member

potiuk commented Sep 10, 2021

Happy to help with review @nwalens !

@jedcunningham
Copy link
Member

@nwalens, I'm also happy to help! Ping us on slack in #helm-chart-official if you get stuck or want/need to chat about this 👍.

@jedcunningham jedcunningham added the area:helm-chart Airflow Helm Chart label Sep 10, 2021
@nwalens
Copy link
Contributor Author

nwalens commented Sep 10, 2021

Hi @jedcunningham and @potiuk, thanks for the support!

I have just create a pull request (#18147) addressing this issue.

Thanks a lot!

@mik-laj mik-laj linked a pull request Sep 12, 2021 that will close this issue
Allow airflow standard images to run in openshift utilising the official helm chart #18136 #18147
Merged
@nwalens nwalens mentioned this issue Sep 14, 2021
Merged
potiuk pushed a commit that referenced this issue Sep 28, 2021
@nwalens
Allow airflow standard images to run in openshift utilising the offic…
45e8191 
…ial helm chart #18136 (#18147)

This pull request adds the parameter rbac.createSCCRoleBinding.
When enabled, a new RoleBinding object will be created targeting the various serviceAccounts utilised by deployments and pods.
The roleBinding will target the system:openshift:scc:anyuid cluster role which allows for pods to start with any arbitrary uid.
The ideal solution would also add the possibility of removing the security contexts altogether, however this would not be possible due to a number of pod templates setting different uids.
I will investigate the possibility to add the option of removing the security contexts so that openshift can then set its own uid as intended.
As it is, the pods will start and work as expected, utilising the predefined uids set in values file or the default image uid as set during build.

The change is not intrusive and should work in the current workflow as is. The option is also set to false by default in order to not impact any existing setups.
@kaxil kaxil mentioned this issue Nov 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nwalens nwalens

Labels
area:helm-chart Airflow Helm Chart kind:feature Feature Requests
Projects
None yet
Milestone
No milestone
3 participants
@potiuk @nwalens @jedcunningham