[GitHub] [airflow] thesuperzapper opened a new issue #17744: Problems with how SecurityContext is handled in the helm chart

Thu, 19 Aug 2021 16:28:50 -0700 


thesuperzapper opened a new issue #17744:
URL: https://github.com/apache/airflow/issues/17744


   I think the official helm chart should consider using the approach the 
[User-Community helm 
chart](https://github.com/airflow-helm/charts/tree/main/charts/airflow) has 
taken with `securityContext`.
   
   __The main issues I see with the current approach of the official chart:__
   - The `uid` and `gid` values are defined globally (rather than per container 
image, and obviously not all use `uid=5000`)
   - The `uid` and `gid` values set the __Pod SecurityContext__ (not the 
__Container SecurityContext__), so the `runAsUser` affects other containers 
like git-sync (which don't use `uid=50000`)
   - The `gid` value confusingly sets `fsGroup` and not `runAsGroup` (there is 
actually no value for `runAsGroup`) 
   - Users cannot "unset" the `fsGroup` (which some users may want, as 
`fsGroup` runs `chmod` on all files in PVCs as Containers start, increasing 
start times)
   
   __For reference, the User-Community chart:__
   - Allows setting `runAsUser` and `runAsGroup` [per container 
image](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L16-L17)
 (that is, defines the __Container SecurityContext__, not the __Pod 
SecurityContext__)
   - Allows users to provide their own __Pod SecurityContext__ configs (both 
globally with 
[`airflow.defaultSecurityContext`](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L190-L197)
 and per-resource with values like 
[`scheduler.securityContext`](https://github.com/airflow-helm/charts/blob/1043f957a7dc8e23c7fd64858b335752c0d01c1a/charts/airflow/values.yaml#L483-L487))
   
   _PS: I don't think it's necessary to set `runAsGroup = 0` and think `50000` 
is better, as `fsGroup = 0` will be sufficient to ensure all files/folders are 
readable from PVCs, and many Kubernetes clusters will restrict setting 
`runAsGroup = 0`_ 
   _(NOTE: the chart does NOT currently set `runAsGroup`, only `fsGroup`)_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to