[GitHub] [airflow] jedcunningham commented on a change in pull request #18249: Add support for securityContext per deployment

GitBox Thu, 16 Dec 2021 12:02:34 -0800


jedcunningham commented on a change in pull request #18249:
URL: https://github.com/apache/airflow/pull/18249#discussion_r770883736




##########
File path: chart/templates/_helpers.yaml
##########
@@ -616,3 +615,85 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for securityContext or <node>.securityContext, defaults 
to global uid and gid.
+
+    +------------------------+      +-----------------+      
+-------------------------+
+    | <node>.securityContext |  ->  | securityContext |  ->  | Values.uid + 
Values.gid |
+    +------------------------+      +-----------------+      
+-------------------------+
+
+Values are not accumulated meaning that if runAsUser is set to 10 in 
<node>.securityContext,
+any extra values set to securityContext or uid+gid will be ignored.
+
+The template can be called like so:
+   include "airflowSecurityContext" (list . .Values.webserver)
+
+Where '.' is the global varriables scope and `.Values.webserver` the local 
variables scope for the webserver template.
+*/}}
+{{- define "airflowSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for securityContext or <node>.securityContext, defaults 
to UID in the local node.
+
+    +------------------------+     +-------------+
+    | <node>.securityContext |  >  | <node>.uid  |
+    +------------------------+     +-------------+
+
+The template can be called like so:
+  include "localSecurityContext" .Values.statsd
+
+It is important to pass the local variables scope to this template as it is 
used to determine the local node value for uid.
+
+*/}}
+{{- define "localSecurityContext" -}}
+  {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for securityContext or <node>.securityContext, defaults 
to global uid and gid.
+The template looks for `runAsUser` and `fsGroup` specifically, any other 
parameter will be ignored.
+
+    +------------------------+      +-----------------+      
+-------------------------+
+    | <node>.securityContext |  ->  | securityContext |  ->  | Values.uid + 
Values.gid |
+    +------------------------+      +-----------------+      
+-------------------------+
+
+Values are not accumulated meaning that if runAsUser is set to 10 in 
<node>.securityContext,
+any extra values set to securityContext or uid+gid will be ignored.
+
+The template can be called like so:
+   include "airflowSecurityContextIds" (list . .Values.workers)
+
+Where '.' is the global varriables scope and `.Values.workers` the local 
variables scope for the workers template.

Review comment:
       ```suggestion
   Where `.` is the global variables scope and `.Values.workers` the local 
variables scope for the workers template.
   ```

##########
File path: chart/templates/_helpers.yaml
##########
@@ -616,3 +615,85 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for securityContext or <node>.securityContext, defaults 
to global uid and gid.
+
+    +------------------------+      +-----------------+      
+-------------------------+
+    | <node>.securityContext |  ->  | securityContext |  ->  | Values.uid + 
Values.gid |
+    +------------------------+      +-----------------+      
+-------------------------+
+
+Values are not accumulated meaning that if runAsUser is set to 10 in 
<node>.securityContext,
+any extra values set to securityContext or uid+gid will be ignored.
+
+The template can be called like so:
+   include "airflowSecurityContext" (list . .Values.webserver)
+
+Where '.' is the global varriables scope and `.Values.webserver` the local 
variables scope for the webserver template.

Review comment:
       ```suggestion
   Where `.` is the global variables scope and `.Values.webserver` the local 
variables scope for the webserver template.
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [airflow] jedcunningham commented on a change in pull request #18249: Add support for securityContext per deployment

Reply via email to