This is an automated email from the ASF dual-hosted git repository.
jedcunningham pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 5135f18daaf Missing SCC Role bindings for redis and api-server (#57985)
5135f18daaf is described below
commit 5135f18daafe0f5d7e16985da88f377b32cdb810
Author: Ronaldo Campos <[email protected]>
AuthorDate: Sat Nov 22 03:51:09 2025 +0000
Missing SCC Role bindings for redis and api-server (#57985)
---
.../security-context-constraint-rolebinding.yaml | 8 ++++++++
.../helm_tests/security/test_scc_rolebinding.py | 24 +++++++++++++---------
2 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
index 3a070a38b47..869798013af 100644
--- a/chart/templates/rbac/security-context-constraint-rolebinding.yaml
+++ b/chart/templates/rbac/security-context-constraint-rolebinding.yaml
@@ -71,6 +71,9 @@ subjects:
- kind: ServiceAccount
name: {{ include "scheduler.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
+ - kind: ServiceAccount
+ name: {{ include "apiServer.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
{{- if and .Values.statsd.enabled }}
- kind: ServiceAccount
name: {{ include "statsd.serviceAccountName" . }}
@@ -81,6 +84,11 @@ subjects:
name: {{ include "flower.serviceAccountName" . }}
namespace: "{{ .Release.Namespace }}"
{{- end }}
+ {{- if .Values.redis.enabled }}
+ - kind: ServiceAccount
+ name: {{ include "redis.serviceAccountName" . }}
+ namespace: "{{ .Release.Namespace }}"
+ {{- end }}
{{- if and (semverCompare ">=2.2.0" .Values.airflowVersion) }}
- kind: ServiceAccount
name: {{ include "triggerer.serviceAccountName" . }}
diff --git a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
index 0997deb4e2e..703afa08a5f 100644
--- a/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
+++ b/helm-tests/tests/helm_tests/security/test_scc_rolebinding.py
@@ -55,13 +55,15 @@ class TestSCCActivation:
assert jmespath.search("subjects[0].name", docs[0]) ==
"release-name-airflow-webserver"
assert jmespath.search("subjects[1].name", docs[0]) ==
"release-name-airflow-worker"
assert jmespath.search("subjects[2].name", docs[0]) ==
"release-name-airflow-scheduler"
- assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-statsd"
- assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-flower"
- assert jmespath.search("subjects[5].name", docs[0]) ==
"release-name-airflow-triggerer"
- assert jmespath.search("subjects[6].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
- assert jmespath.search("subjects[7].name", docs[0]) ==
"release-name-airflow-create-user-job"
- assert jmespath.search("subjects[8].name", docs[0]) ==
"release-name-airflow-cleanup"
- assert jmespath.search("subjects[9].name", docs[0]) ==
"release-name-airflow-dag-processor"
+ assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-api-server"
+ assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-statsd"
+ assert jmespath.search("subjects[5].name", docs[0]) ==
"release-name-airflow-flower"
+ assert jmespath.search("subjects[6].name", docs[0]) ==
"release-name-airflow-redis"
+ assert jmespath.search("subjects[7].name", docs[0]) ==
"release-name-airflow-triggerer"
+ assert jmespath.search("subjects[8].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
+ assert jmespath.search("subjects[9].name", docs[0]) ==
"release-name-airflow-create-user-job"
+ assert jmespath.search("subjects[10].name", docs[0]) ==
"release-name-airflow-cleanup"
+ assert jmespath.search("subjects[11].name", docs[0]) ==
"release-name-airflow-dag-processor"
@pytest.mark.parametrize(
("rbac_enabled", "scc_enabled", "created", "namespace",
"expected_name"),
@@ -118,6 +120,8 @@ class TestSCCActivation:
assert jmespath.search("subjects[0].name", docs[0]) ==
"release-name-airflow-webserver"
assert jmespath.search("subjects[1].name", docs[0]) ==
"release-name-airflow-worker"
assert jmespath.search("subjects[2].name", docs[0]) ==
"release-name-airflow-scheduler"
- assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-triggerer"
- assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
- assert len(docs[0]["subjects"]) == 5
+ assert jmespath.search("subjects[3].name", docs[0]) ==
"release-name-airflow-api-server"
+ assert jmespath.search("subjects[4].name", docs[0]) ==
"release-name-airflow-redis"
+ assert jmespath.search("subjects[5].name", docs[0]) ==
"release-name-airflow-triggerer"
+ assert jmespath.search("subjects[6].name", docs[0]) ==
"release-name-airflow-migrate-database-job"
+ assert len(docs[0]["subjects"]) == 7
