This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 847d2c3b37 Add containerSecurityContext for cleanup (#34351)
847d2c3b37 is described below
commit 847d2c3b37210113dce3cf5da0344a2fcfcd9d12
Author: Kim Minwoo <[email protected]>
AuthorDate: Thu Sep 14 04:53:06 2023 +0900
Add containerSecurityContext for cleanup (#34351)
---
chart/templates/cleanup/cleanup-cronjob.yaml | 2 ++
chart/values.yaml | 1 +
helm_tests/security/test_security_context.py | 43 ++++++++++++++++++++++------
3 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/chart/templates/cleanup/cleanup-cronjob.yaml
b/chart/templates/cleanup/cleanup-cronjob.yaml
index c09e279ab3..d7b56c6f01 100644
--- a/chart/templates/cleanup/cleanup-cronjob.yaml
+++ b/chart/templates/cleanup/cleanup-cronjob.yaml
@@ -26,6 +26,7 @@
{{- $tolerations := or .Values.cleanup.tolerations .Values.tolerations }}
{{- $topologySpreadConstraints := or .Values.cleanup.topologySpreadConstraints
.Values.topologySpreadConstraints }}
{{- $securityContext := include "airflowPodSecurityContext" (list .
.Values.cleanup) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list .
.Values.cleanup) }}
apiVersion: batch/v1
kind: CronJob
metadata:
@@ -91,6 +92,7 @@ spec:
- name: airflow-cleanup-pods
image: {{ template "airflow_image" . }}
imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+ securityContext: {{ or $containerSecurityContext
.Values.cleanup.securityContexts.container .Values.securityContexts.containers
| nindent 16 }}
{{- if .Values.cleanup.command }}
command: {{ tpl (toYaml .Values.cleanup.command) . | nindent 16
}}
{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 5f0732afc8..cdd418ee38 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2223,6 +2223,7 @@ cleanup:
# Detailed default security context for cleanup for container level
securityContexts:
+ pod: {}
container: {}
# container level lifecycle hooks
diff --git a/helm_tests/security/test_security_context.py
b/helm_tests/security/test_security_context.py
index 74da2cc95d..8a51f62e67 100644
--- a/helm_tests/security/test_security_context.py
+++ b/helm_tests/security/test_security_context.py
@@ -223,9 +223,12 @@ class TestSecurityContext:
docs = render_chart(
values={
"securityContexts": {"containers": ctx_value_container, "pod":
ctx_value_pod},
+ "cleanup": {"enabled": True},
+ "flower": {"enabled": True},
"pgbouncer": {"enabled": True},
},
show_only=[
+ "templates/cleanup/cleanup-cronjob.yaml",
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
"templates/webserver/webserver-deployment.yaml",
@@ -238,7 +241,15 @@ class TestSecurityContext:
"templates/redis/redis-statefulset.yaml",
],
)
- for doc in docs[:-3]:
+
+ assert ctx_value_container == jmespath.search(
+
"spec.jobTemplate.spec.template.spec.containers[0].securityContext", docs[0]
+ )
+ assert ctx_value_pod == jmespath.search(
+ "spec.jobTemplate.spec.template.spec.securityContext", docs[0]
+ )
+
+ for doc in docs[1:-3]:
assert ctx_value_container == jmespath.search(
"spec.template.spec.containers[0].securityContext", doc
)
@@ -269,18 +280,20 @@ class TestSecurityContext:
security_context = {"securityContexts": {"container": ctx_value}}
docs = render_chart(
values={
+ "cleanup": {"enabled": True, **security_context},
"scheduler": {**security_context},
"webserver": {**security_context},
"workers": {**security_context},
- "flower": {**security_context},
+ "flower": {"enabled": True, **security_context},
"statsd": {**security_context},
"createUserJob": {**security_context},
"migrateDatabaseJob": {**security_context},
"triggerer": {**security_context},
- "pgbouncer": {**security_context},
+ "pgbouncer": {"enabled": True, **security_context},
"redis": {**security_context},
},
show_only=[
+ "templates/cleanup/cleanup-cronjob.yaml",
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
"templates/webserver/webserver-deployment.yaml",
@@ -294,7 +307,11 @@ class TestSecurityContext:
],
)
- for doc in docs:
+ assert ctx_value == jmespath.search(
+
"spec.jobTemplate.spec.template.spec.containers[0].securityContext", docs[0]
+ )
+
+ for doc in docs[1:]:
assert ctx_value ==
jmespath.search("spec.template.spec.containers[0].securityContext", doc)
# Test securityContexts for log-groomer-sidecar main container
@@ -395,18 +412,20 @@ class TestSecurityContext:
security_context = {"securityContexts": {"pod": ctx_value}}
docs = render_chart(
values={
+ "cleanup": {"enabled": True, **security_context},
"scheduler": {**security_context},
"webserver": {**security_context},
"workers": {**security_context},
- "flower": {**security_context},
+ "flower": {"enabled": True, **security_context},
"statsd": {**security_context},
"createUserJob": {**security_context},
"migrateDatabaseJob": {**security_context},
"triggerer": {**security_context},
- "pgbouncer": {**security_context},
+ "pgbouncer": {"enabled": True, **security_context},
"redis": {**security_context},
},
show_only=[
+ "templates/cleanup/cleanup-cronjob.yaml",
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
"templates/webserver/webserver-deployment.yaml",
@@ -420,7 +439,9 @@ class TestSecurityContext:
],
)
- for doc in docs:
+ assert ctx_value ==
jmespath.search("spec.jobTemplate.spec.template.spec.securityContext", docs[0])
+
+ for doc in docs[1:]:
assert ctx_value ==
jmespath.search("spec.template.spec.securityContext", doc)
# Test securityContexts for main pods
@@ -429,10 +450,11 @@ class TestSecurityContext:
security_context = {"securityContext": ctx_value}
docs = render_chart(
values={
+ "cleanup": {"enabled": True, **security_context},
"scheduler": {**security_context},
"webserver": {**security_context},
"workers": {**security_context},
- "flower": {**security_context},
+ "flower": {"enabled": True, **security_context},
"statsd": {**security_context},
"createUserJob": {**security_context},
"migrateDatabaseJob": {**security_context},
@@ -440,6 +462,7 @@ class TestSecurityContext:
"redis": {**security_context},
},
show_only=[
+ "templates/cleanup/cleanup-cronjob.yaml",
"templates/flower/flower-deployment.yaml",
"templates/scheduler/scheduler-deployment.yaml",
"templates/webserver/webserver-deployment.yaml",
@@ -452,5 +475,7 @@ class TestSecurityContext:
],
)
- for doc in docs:
+ assert ctx_value ==
jmespath.search("spec.jobTemplate.spec.template.spec.securityContext", docs[0])
+
+ for doc in docs[1:]:
assert ctx_value ==
jmespath.search("spec.template.spec.securityContext", doc)
