ChrisFraun opened a new pull request, #24588: URL: https://github.com/apache/airflow/pull/24588
<!--This PR is only a small change in the helm chart of Airflow. What: Deployments can have security settings in their manifest on two levels: pod and container. However, there are some capabilities only configurable in one of the respective levels(https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core). This PR sets a default configuration for container securityContext, which denies privilege escalation and drops all POSIX capabilities. These are and should be standard settings in the context of Kubernetes. It also adds the possibility of running Airflow in an Kubernetes environment without PSP (to be removed in v1.25 https://kubernetes.io/docs/concepts/security/pod-security-policy/), but with OpenPolicyAgent (a or possibly the PSP substitute) with the same capabilities as a restricted PSP instead. Why: This missing configuration restricts Airflow from being used with the simple upstream helm chart without modifications/unnecessary maintenance. This applies especially the restricted policy use in OPA. The specific setting in this PR is **not** inherited from `podSecurityContext`(pod level) in `securityContext`(container level). Problem: There is already a `securityContext` in the values.yaml, however, this should be actually be called `podSecurityContext` since it's on pod level. To not break backwards compatibility of Airflow, this PR hardcodes the respective capabilities on container level for statsd, scheduler and webserver. The other possibility would be to introduce a `containerSecurityContext` in the values.yaml, which is a made up word since it is commonly called `scurityContext`. Benefit in either case would be a more secure deployment. In case of existing issue, reference it using one of the following: closes: #ISSUE related: #ISSUE Could not find any related issue at first sight. --- **^ Add meaningful description above** Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#pull-request-guidelines)** for more information. Test was a simple `helm lint .` on chart level as well as a successful deployment. WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /Users/christophfraundorfer/.kube/config WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /Users/christophfraundorfer/.kube/config ==> Linting . 1 chart(s) linted, 0 chart(s) failed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
