amoghrajesh commented on issue #43464: URL: https://github.com/apache/airflow/issues/43464#issuecomment-2446418044
@potiuk @DjVinnii I checked the issue. The fix was to complete this one https://github.com/apache/airflow/issues/30722. The idea was to not mount the service account tokens to reduce the security risk of the token being exposed if a pod is compromised. On further reading, I see that the token is always needed for scheduler and if this is set to false, the serviceaccount token will not be automatically mounted into the pods that use this service account (scheduler for example). The scheduler will not be able to authenticate to the K8s API, which is needed for tasks like creating and managing pods. > I am indeed willing to submit a PR, however I don't know what the best way will be to solve this. Maybe @amoghrajesh has some insights on this. @DjVinnii I think the most ideal fix here would be to remove the option from the scheduler service account. It can be optional for other pods but it is always supposed to be true for scheduler. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
