jedcunningham commented on code in PR #24588:
URL: https://github.com/apache/airflow/pull/24588#discussion_r943702505
##########
chart/values.yaml:
##########
@@ -629,12 +634,17 @@ scheduler:
# (when not using LocalExecutor and workers.persistence)
strategy: ~
- # When not set, the values defined in the global securityContext will be used
+ # When not set, the values defined in the global securityContext will be
used (deprecated)
securityContext: {}
# runAsUser: 50000
# fsGroup: 0
# runAsGroup: 0
+ # Detailed default security context for scheduler deployments for container
and pod level
Review Comment:
```suggestion
# Detailed default security context for scheduler deployments for
container and pod level
```
##########
chart/templates/_helpers.yaml:
##########
@@ -703,14 +703,14 @@ Create the name of the cleanup service account to use
{{- end -}}
{{/*
-Set the default value for securityContext
-If no value is passed for securityContext or <node>.securityContext, defaults
to global uid and gid.
+Set the default value for pod securityContext
+If no value is passed for securityContext.pod or <node>.securityContext.pod,
defaults to global uid and gid.
Review Comment:
I think we want this order of precedence:
```
<node>.securityContexts.pod
<node>.securityContext
securityContexts.pod
securityContext (backcompat for deprecated config)
uid/gid
```
So I think this template still needs a little work, right? Also feel free to
rename this `airflowPodSecurityContext` to make it more clear.
##########
chart/values.yaml:
##########
@@ -894,12 +904,17 @@ webserver:
# Allow overriding Update Strategy for Webserver
strategy: ~
- # When not set, the values defined in the global securityContext will be used
+ # When not set, the values defined in the global securityContext will be
used (deprecated)
securityContext: {}
# runAsUser: 50000
# fsGroup: 0
# runAsGroup: 0
+ # Detailed default security contexts for webserver deployments for
container and pod level
Review Comment:
```suggestion
# Detailed default security contexts for webserver deployments for
container and pod level
```
##########
chart/values.schema.json:
##########
@@ -100,6 +100,39 @@
}
]
},
+ "securityContexts": {
+ "description": "Security context definition for the scheduler.",
Review Comment:
Sorry, probably could have been more clear with my original comments. This
one should still be global, and what you had before was good. I mean the
component specific descriptions needs to be updated to reflect they are
scheduler/webserver/etc specific.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]