dano-nx opened a new issue, #59099:
URL: https://github.com/apache/airflow/issues/59099
### Official Helm Chart version
1.18.0 (latest released)
### Apache Airflow version
3.0.6
### Kubernetes Version
1.33.5
### Helm Chart configuration
```yaml
executor: KubernetesExecutor
scheduler:
serviceAccount:
automountServiceAccountToken: false
extraVolumes:
- name: sa-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
extraVolumeMounts:
- name: sa-token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
apiServer:
serviceAccount:
automountServiceAccountToken: false
dagProcessor:
serviceAccount:
automountServiceAccountToken: false
migrateDatabaseJob:
serviceAccount:
automountServiceAccountToken: false
statsd:
serviceAccount:
automountServiceAccountToken: false
triggerer:
serviceAccount:
automountServiceAccountToken: false
workers:
serviceAccount:
automountServiceAccountToken: false
```
### Docker Image customizations
none
### What happened
The rendered Kubernetes resources for the Scheduler service account should
contain the following property:
```yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
```
The rendered Kubernetes resources for the Scheduler deployment should
contain the following property:
```yaml
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
automountServiceAccountToken: false
```
Both properties are missing. This conflicts with my present Kyverno policies:
-
https://github.com/kyverno/policies/raw/main/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml
-
https://github.com/kyverno/policies/raw/main/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml
### What you think should happen instead
In the Helm chart templates for the Scheduler service account and deployment
the Value for `.Values.scheduler.serviceAccount.automountServiceAccountToken`
is only evaluated when the executor is set to "CeleryExecutor". For the
executor "Kubernetes" this is ignored. There is no way to disable the automount
service account token when using the Kubernetes executor.
### How to reproduce
Deploy the Helm chart in a Kubernetes cluster with Kyverno policies
[restrict-automount-sa-token](https://github.com/kyverno/policies/raw/main/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml)
and
[restrict-sa-automount-sa-token](https://github.com/kyverno/policies/raw/main/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml)
(or similiar policy frameworks). Use the "Kubernetes" executor and try to
disable `automountServiceAccountToken` for all workloads.
### Anything else
The feature to disable service account token automounting was introduced
with issue [30722](https://github.com/apache/airflow/issues/30722) (PR
[32808](https://github.com/apache/airflow/pull/32808)). There was a subsequent
issue [43464](https://github.com/apache/airflow/issues/43464) (PR
[44173](https://github.com/apache/airflow/pull/44173)) that introduced the
special handling for the Celery Executor and disabled the feature for the
Kubernetes executor completely.
In the PR [44173](https://github.com/apache/airflow/pull/44173), there is a
[suggested
workaround](https://github.com/apache/airflow/issues/43464#issuecomment-2553996462)
that would have fixed the issue as well, in a more flexible way.
### Are you willing to submit PR?
- [x] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
