[
https://issues.apache.org/jira/browse/AIRFLOW-4856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16873946#comment-16873946
]
ASF GitHub Bot commented on AIRFLOW-4856:
-----------------------------------------
mingjie-li commented on pull request #5494: [AIRFLOW-4856] change hard coded
run_as_user to an option in config file
URL: https://github.com/apache/airflow/pull/5494
Make sure you have checked _all_ steps below.
### Jira
- [x] My PR addresses the following
[AIRFLOW-4856](https://issues.apache.org/jira/browse/AIRFLOW-4856) issues and
references them in the PR title. For example, "\[AIRFLOW-XXX\] My Airflow PR"
- https://issues.apache.org/jira/browse/AIRFLOW-4856
### Description
- [x] Here are some details about my PR, including screenshots of any UI
changes:
when using KubernetesExecutor with git_sync, an init container will be
created to sync with the git repo, the init container has a security context
with hard coded runAsUser=65533, this pull request aim to change the hard coded
value to a config option
### Tests
- [x] My PR adds the following unit tests:
* create test_init_environment_using_git_sync_run_as_user_empty: when the
option is empty, not security context should be created
* update test_worker_git_dags to check the value of the option has been
correctly added to security context
### Commits
- [x] My commits all reference Jira issues in their subject lines, and I
have squashed multiple commits if they address the same issue. In addition, my
commits follow the guidelines from "[How to write a good git commit
message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [ ] In case of new functionality, my PR adds documentation that describes
how to use it.
- All the public functions and the classes in the PR contain docstrings
that explain what it does
- If you implement backwards incompatible changes, please leave a note in
the [Updating.md](https://github.com/apache/airflow/blob/master/UPDATING.md) so
we can assign it to a appropriate release
### Code Quality
- [ ] Passes `flake8`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> KubernetesExecutor's git initContainer run always as user 65533
> ---------------------------------------------------------------
>
> Key: AIRFLOW-4856
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4856
> Project: Apache Airflow
> Issue Type: Bug
> Components: executors
> Affects Versions: 1.10.3
> Reporter: Mingjie LI
> Priority: Major
>
> when try to use KubernetesExecutor with git sync functionality,
> i got this error :
> [2019-06-26 14:09:37,428] \{kubernetes_executor.py:745} ERROR - ApiException
> when attempting to run task, re-queueing.
> Traceback (most recent call last):
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
> line 742, in sync
> self.kube_scheduler.run_next(task)
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
> line 420, in run_next
> self.launcher.run_pod_async(pod)
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py",
> line 57, in run_pod_async
> resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py",
> line 6115, in create_namespaced_pod
> (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py",
> line 6206, in create_namespaced_pod_with_http_info
> collection_formats=collection_formats)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 334, in call_api
> _return_http_data_only, collection_formats, _preload_content,
> _request_timeout)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 168, in __call_api
> _request_timeout=_request_timeout)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 377, in request
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py",
> line 266, in POST
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py",
> line 222, in request
> raise ApiException(http_resp=r)
> kubernetes.client.rest.ApiException: (403)
> Reason: Forbidden
> HTTP response headers: HTTPHeaderDict(\{'Cache-Control': 'no-store',
> 'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT',
> 'Content-Length': '500'})
> HTTP response body:
> \{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
> \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable
> to validate against any security context constraint:
> [securityContext.runAsUser: Invalid value: 65533: UID on container
> git-sync-clone does not match required range. Found 65533, required min:
> 1000000000 max:
> 1000009999]","reason":"Forbidden","details":\{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}
> even the run_as_user options has been set in the cfg file as below
> [kubernetes]
> run_as_user = 1000000000
>
> [https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128]
> from here we can see the init container is always running as user 65533.
> maybe we can use self.kube_config.worker_run_as_user instead.
> Br,
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
