[
https://issues.apache.org/jira/browse/AIRFLOW-4856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892146#comment-16892146
]
ASF GitHub Bot commented on AIRFLOW-4856:
-----------------------------------------
dimberman commented on pull request #5494: [AIRFLOW-4856] Make git sync
run_as_user an config option
URL: https://github.com/apache/airflow/pull/5494
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> KubernetesExecutor's git initContainer run always as user 65533
> ---------------------------------------------------------------
>
> Key: AIRFLOW-4856
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4856
> Project: Apache Airflow
> Issue Type: Bug
> Components: executors
> Affects Versions: 1.10.3
> Reporter: Mingjie LI
> Priority: Major
>
> when try to use KubernetesExecutor with git sync functionality,
> i got this error :
> [2019-06-26 14:09:37,428] \{kubernetes_executor.py:745} ERROR - ApiException
> when attempting to run task, re-queueing.
> Traceback (most recent call last):
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
> line 742, in sync
> self.kube_scheduler.run_next(task)
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py",
> line 420, in run_next
> self.launcher.run_pod_async(pod)
> File
> "/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py",
> line 57, in run_pod_async
> resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py",
> line 6115, in create_namespaced_pod
> (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py",
> line 6206, in create_namespaced_pod_with_http_info
> collection_formats=collection_formats)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 334, in call_api
> _return_http_data_only, collection_formats, _preload_content,
> _request_timeout)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 168, in __call_api
> _request_timeout=_request_timeout)
> File
> "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py",
> line 377, in request
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py",
> line 266, in POST
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py",
> line 222, in request
> raise ApiException(http_resp=r)
> kubernetes.client.rest.ApiException: (403)
> Reason: Forbidden
> HTTP response headers: HTTPHeaderDict(\{'Cache-Control': 'no-store',
> 'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT',
> 'Content-Length': '500'})
> HTTP response body:
> \{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods
> \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable
> to validate against any security context constraint:
> [securityContext.runAsUser: Invalid value: 65533: UID on container
> git-sync-clone does not match required range. Found 65533, required min:
> 1000000000 max:
> 1000009999]","reason":"Forbidden","details":\{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}
> even the run_as_user options has been set in the cfg file as below
> [kubernetes]
> run_as_user = 1000000000
>
> [https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128]
> from here we can see the init container is always running as user 65533.
> maybe we can use self.kube_config.worker_run_as_user instead.
> Br,
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
