matthieu-foucault opened a new issue #12602: URL: https://github.com/apache/airflow/issues/12602
**Apache Airflow version**: 2.0.0-b3 **Kubernetes version**: v1.18.3+47c0e71, OpenShift v4.5 **What happened**: When starting a worker pod with the `KubernetesOperator`, the python script fails to import `airflow` **What you expected to happen**: Running a docker container in OpenShift is usually done with the "Restricted" Security Context Constraint, meaning that the container will be run with an arbitrary UID, and GID 0. The airflow docker image supports this (https://github.com/apache/airflow/pull/9545), which relies on the following lines from the container entrypoint: https://github.com/apache/airflow/blob/6caf2607e04f581abdcb38fdbc426e03d5307429/scripts/in_container/prod/entrypoint_prod.sh#L93-L99 However, the entrypoint is currently overridden: https://github.com/apache/airflow/blob/dd2095f4a8b07c9b1a4c279a3578cd1e23b71a1b/airflow/kubernetes/pod_generator.py#L395-L399 https://github.com/apache/airflow/blob/dd2095f4a8b07c9b1a4c279a3578cd1e23b71a1b/airflow/executors/kubernetes_executor.py#L291-L303 `command` changes the container `ENTRYPOINT` (not the `CMD` as one might think :zany_face: ), which means that the production image entrypoint is not used by the worker pod, preventing the airflow command from executing properly. To execute a custom command while keeping the original entrypoint, one should use the `args` parameter instead of `command` Looking at this with @pbastia. Sounds like a solution would be to: - add an `args` parameter to `PodGenerator.construct_pod` - in the kubernetes_executor, set `args` to `command[1:]`, since the container entrypoint expects an airflow command by default (see below) https://github.com/apache/airflow/blob/6caf2607e04f581abdcb38fdbc426e03d5307429/scripts/in_container/prod/entrypoint_prod.sh#L135 Happy to open a PR for it if that sounds like an acceptable change. cc @dimberman **How to reproduce it**: Run any dag in OpenShift, using the restricted SCC ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
