thesuperzapper opened a new issue #17744: URL: https://github.com/apache/airflow/issues/17744
I think the official helm chart should consider using the approach the [User-Community helm chart](https://github.com/airflow-helm/charts/tree/main/charts/airflow) has taken with `securityContext`. __The main issues I see with the current approach of the official chart:__ - The `uid` and `gid` values are defined globally (rather than per container image, and obviously not all use `uid=5000`) - The `uid` and `gid` values set the __Pod SecurityContext__ (not the __Container SecurityContext__), so the `runAsUser` affects other containers like git-sync (which don't use `uid=50000`) - The `gid` value confusingly sets `fsGroup` and not `runAsGroup` (there is actually no value for `runAsGroup`) - Users cannot "unset" the `fsGroup` (which some users may want, as `fsGroup` runs `chmod` on all files in PVCs as Containers start, increasing start times) __For reference, the User-Community chart:__ - Allows setting `runAsUser` and `runAsGroup` [per container image](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L16-L17) (that is, defines the __Container SecurityContext__, not the __Pod SecurityContext__) - Allows users to provide their own __Pod SecurityContext__ configs (both globally with [`airflow.defaultSecurityContext`](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L190-L197) and per-resource with values like [`scheduler.securityContext`](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L483-L487)) _PS: I don't think it's necessary to set `runAsGroup = 0` and think `50000` is better, as `fsGroup = 0` will be sufficient to ensure all files/folders are readable from PVCs, and many Kubernetes clusters will restrict setting `runAsGroup = 0`_ _(NOTE: the chart does NOT currently set `runAsGroup`, only `fsGroup`)_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org