[GitHub] [airflow] ChrisFraun commented on a diff in pull request #24588: add: container securityContext not available in podSecurityContext

Wed, 10 Aug 2022 06:10:14 -0700 


ChrisFraun commented on code in PR #24588:
URL: https://github.com/apache/airflow/pull/24588#discussion_r942430894


##########
chart/values.yaml:
##########
@@ -35,12 +35,21 @@ revisionHistoryLimit: ~
 uid: 50000
 gid: 0
 
-# Default security context for airflow
+# Default security context for airflow (deprecated, use below in the future)
 securityContext: {}
 #  runAsUser: 50000
 #  fsGroup: 0
 #  runAsGroup: 0
 
+# Detailed default security context for airflow deployments
+securityContexts:
+  pod: {}
+  containers:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL

Review Comment:
   I removed it from here and put it in the helper:
   {{/*
   Set the default value for container securityContext
   If no value is passed for securityContext.container or 
<node>.securityContext.container, defaults to deny privileges escallation and 
dropping all POSIX capabilities.
   
       +------------------------+      +-----------------+      
+-------------------------+
       | <node>.securityContext.container |  ->  | securityContext.container |  
->  | allowPrivilegesEscalation: false, capabilities.drop: [ALL]|
       +------------------------+      +-----------------+      
+-------------------------+
   
   
   The template can be called like so:
      include "airflowSecurityContextContainer" (list . .Values.webserver)
   
   Where `.` is the global variables scope and `.Values.webserver` the local 
variables scope for the webserver template.
   */}}
   {{- define "airflowSecurityContextContainer" -}}
     {{- $ := index . 0 -}}
     {{- with index . 1 }}
       {{- if .securityContext.container -}}
   {{ toYaml .securityContext.container | print }}
       {{- else if $.Values.securityContext.container -}}
   {{ toYaml $.Values.securityContext.container | print }}
       {{- else -}}
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
       {{- end -}}
     {{- end -}}
   {{- end -}}



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to