[jira] [Created] (AIRFLOW-4856) KubernetesExecutor's git initContainer run always as user 65533

Mingjie LI (JIRA) Wed, 26 Jun 2019 07:18:29 -0700

Mingjie LI created AIRFLOW-4856:
-----------------------------------

             Summary: KubernetesExecutor's git initContainer run always as user 
65533
                 Key: AIRFLOW-4856
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4856
             Project: Apache Airflow
          Issue Type: Bug
          Components: executors
    Affects Versions: 1.10.3
            Reporter: Mingjie LI



when try to use KubernetesExecutor with git sync functionality, 

i got this error :

[2019-06-26 14:09:37,428] \{kubernetes_executor.py:745} ERROR - ApiException 
when attempting to run task, re-queueing.
Traceback (most recent call last):
 File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
 line 742, in sync
 self.kube_scheduler.run_next(task)
 File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
 line 420, in run_next
 self.launcher.run_pod_async(pod)
 File 
"/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py",
 line 57, in run_pod_async
 resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
 File 
"/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", 
line 6115, in create_namespaced_pod
 (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
 File 
"/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", 
line 6206, in create_namespaced_pod_with_http_info
 collection_formats=collection_formats)
 File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", 
line 334, in call_api
 _return_http_data_only, collection_formats, _preload_content, _request_timeout)
 File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", 
line 168, in __call_api
 _request_timeout=_request_timeout)
 File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", 
line 377, in request
 body=body)
 File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 
266, in POST
 body=body)
 File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 
222, in request
 raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict(\{'Cache-Control': 'no-store', 
'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT', 
'Content-Length': '500'})
HTTP response body: 
\{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
 \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable to 
validate against any security context constraint: [securityContext.runAsUser: 
Invalid value: 65533: UID on container git-sync-clone does not match required 
range. Found 65533, required min: 1000000000 max: 
1000009999]","reason":"Forbidden","details":\{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}

even the run_as_user options has been set in the cfg file as below

[kubernetes]

run_as_user = 1000000000

 

[https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128]

from here we can see the init container is always running as user 65533.

maybe we can use self.kube_config.worker_run_as_user instead.

Br,



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (AIRFLOW-4856) KubernetesExecutor's git initContainer run always as user 65533

Reply via email to