jedcunningham commented on code in PR #31043: URL: https://github.com/apache/airflow/pull/31043#discussion_r1212445164
########## docs/helm-chart/production-guide.rst: ########## @@ -331,35 +331,41 @@ In the Airflow Helm chart, the ``securityContext`` can be configured in several * :ref:`uid <parameters:Airflow>` (configures the global uid or RunAsUser) * :ref:`gid <parameters:Airflow>` (configures the global gid or fsGroup) - * :ref:`securityContext <parameters:Kubernetes>` (same as ``uid`` but allows for setting all `Pod securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core>`_) - * :ref:`securityContexts <parameters:Kubernetes>` (same as ``securityContext`` with additional security context on the container level `Container securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core>`_) + * :ref:`securityContext <parameters:Kubernetes>` (deprecated, use ``securityContexts`` instead.) + * :ref:`securityContexts <parameters:Kubernetes>` (same as ``uid`` but allows for setting all `Pod securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core>`_ and `Container securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core>`_) -The same way one can configure the global :ref:`securityContext <parameters:Kubernetes>`, it is also possible to configure different values for specific workloads by setting their local ``securityContext`` as follows: +The same way one can configure the global :ref:`securityContexts <parameters:Kubernetes>`, it is also possible to configure different values for specific workloads by setting their local ``securityContexts`` as follows: .. code-block:: yaml workers: securityContext: + pod: runAsUser: 5000 fsGroup: 0 + containers: + allowPrivilegeEscalation: false Review Comment: ```suggestion securityContexts: pod: runAsUser: 5000 fsGroup: 0 containers: allowPrivilegeEscalation: false ``` Right? ########## docs/helm-chart/production-guide.rst: ########## @@ -331,35 +331,41 @@ In the Airflow Helm chart, the ``securityContext`` can be configured in several * :ref:`uid <parameters:Airflow>` (configures the global uid or RunAsUser) * :ref:`gid <parameters:Airflow>` (configures the global gid or fsGroup) - * :ref:`securityContext <parameters:Kubernetes>` (same as ``uid`` but allows for setting all `Pod securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core>`_) - * :ref:`securityContexts <parameters:Kubernetes>` (same as ``securityContext`` with additional security context on the container level `Container securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core>`_) + * :ref:`securityContext <parameters:Kubernetes>` (deprecated, use ``securityContexts`` instead.) Review Comment: ```suggestion ``` We don't have to mention the old way :) ########## docs/helm-chart/production-guide.rst: ########## @@ -331,35 +331,41 @@ In the Airflow Helm chart, the ``securityContext`` can be configured in several * :ref:`uid <parameters:Airflow>` (configures the global uid or RunAsUser) * :ref:`gid <parameters:Airflow>` (configures the global gid or fsGroup) - * :ref:`securityContext <parameters:Kubernetes>` (same as ``uid`` but allows for setting all `Pod securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core>`_) - * :ref:`securityContexts <parameters:Kubernetes>` (same as ``securityContext`` with additional security context on the container level `Container securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core>`_) + * :ref:`securityContext <parameters:Kubernetes>` (deprecated, use ``securityContexts`` instead.) + * :ref:`securityContexts <parameters:Kubernetes>` (same as ``uid`` but allows for setting all `Pod securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core>`_ and `Container securityContext options <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core>`_) -The same way one can configure the global :ref:`securityContext <parameters:Kubernetes>`, it is also possible to configure different values for specific workloads by setting their local ``securityContext`` as follows: +The same way one can configure the global :ref:`securityContexts <parameters:Kubernetes>`, it is also possible to configure different values for specific workloads by setting their local ``securityContexts`` as follows: .. code-block:: yaml workers: securityContext: + pod: runAsUser: 5000 fsGroup: 0 + containers: + allowPrivilegeEscalation: false -In the example above, the workers Pod ``securityContext`` will be set to ``runAsUser: 5000`` and ``runAsGroup: 0``. -As one can see, the local setting will take precedence over the global setting when defined. The following explains the precedence rule for ``securityContext`` options in this chart: +In the example above, the workers Pod ``securityContexts`` will be set to ``runAsUser: 5000`` and ``runAsGroup: 0``. The containers pod will be set to ``allowPrivilegeEscalation: false``. Review Comment: ```suggestion In the example above, the workers Pod ``securityContexts`` will be set to ``runAsUser: 5000`` and ``fsGroup: 0``. The containers pod will be set to ``allowPrivilegeEscalation: false``. Existing error! Oops! ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
