DjVinnii opened a new issue, #49276:
URL: https://github.com/apache/airflow/issues/49276
### Description
Allow configuring the Container Security Context for the XCom sidecar. It
would be great if this can be set with a default the Airflow Deployment
Managers and if needed overridden by the Dag Authors.
### Use case/motivation
It might be impossible to use the XCom sidecar when using the
KubernetesPodOperator in a strictly regulated environment with for example OPA
policies. It is for example not possible to configure the Container Security
Context for the ingested sidecar when certain Container Security Context
settings are expected such as the error bellow mentions:
```
HTTP response body:
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"admission
webhook \"validation.gatekeeper.sh\" denied the request:
[deny-privilege-escalation] Privilege escalation in container is not allowed:
airflow-xcom-sidecar\n[ro-rootfs-constraint] Read-only root filesystem is
required: airflow-xcom-sidecar\n[k8sseccomp] Seccomp profile 'not configured'
is not allowed for container 'airflow-xcom-sidecar'. Found at: no explicit
profile found. Allowed profiles: {\"RuntimeDefault\", \"docker/default\",
\"runtime/default\"}","reason":"Forbidden","code":403}
```
### Related issues
_No response_
### Are you willing to submit a PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
