pgagnon commented on a change in pull request #4648: [AIRFLOW-3274] Add
run_as_user and fs_group options for Kubernetes
URL: https://github.com/apache/airflow/pull/4648#discussion_r265372296
##########
File path:
airflow/contrib/kubernetes/kubernetes_request_factory/kubernetes_request_factory.py
##########
@@ -187,12 +187,17 @@ def extract_image_pull_secrets(pod, req):
'name': pull_secret
} for pull_secret in pod.image_pull_secrets.split(',')]
+ @staticmethod
+ def extract_security_context(pod, req):
+ if pod.security_context is None:
+ return
+
+ # Add security_context if not present in spec
+ req['spec']['securityContext'] = req['spec'].get('securityContext', {})
Review comment:
@ashb I understand. 😃 The context is a bit harder to follow now since
changes (f4253a29) were merged since this PR was submitted that touched the
same area.
Previously the only option that was added from `pod.security_context` was
`fsGroup = 65533`, if SSH private key support from f4253a29 was enabled, so we
never actually pulled base values from `pod.security_context` (or anywhere
else). This PR adds the ability to customize `fsGroup` and `runAsUser` while
maintaining compatibility as much as possible with the changes introduced in
the aforementioned commit.
Right now these are the only two security context options that are
implemented in this PR, but it has been mentioned on slack that it might be
beneficial to support the full range since some more locked down clusters might
need them. I could add them but `fsGroup` and `runAsUser` are definitely the
most common SC options so that's why I focused on them first.
I am committing your suggested change.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
