[jira] [Updated] (AIRFLOW-2740) Kubernetes RBAC policy required

Tue, 10 Jul 2018 05:46:23 -0700 


     [ 
https://issues.apache.org/jira/browse/AIRFLOW-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jon Davies updated AIRFLOW-2740:
--------------------------------
    Description: 
The Airflow Executor needs to ship with an example policy, something like:
{code:java}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["create", "delete", "get", "watch", "list"]
---
# This role binding allows "default" to read pods in the "testing-airflow" 
namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
subjects:
- kind: ServiceAccount
  name: default # Name is case sensitive
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you 
wish to bind to
  apiGroup: rbac.authorization.k8s.io
{code}

  was:
The Airflow Executor needs to ship with an example policy, something like:

{code}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: production-airflow
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["create", "delete", "get", "watch", "list"]
---
# This role binding allows "default" to read pods in the "testing-airflow" 
namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
subjects:
- kind: ServiceAccount
  name: default # Name is case sensitive
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you 
wish to bind to
  apiGroup: rbac.authorization.k8s.io
{code}


> Kubernetes RBAC policy required
> -------------------------------
>
>                 Key: AIRFLOW-2740
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2740
>             Project: Apache Airflow
>          Issue Type: Bug
>            Reporter: Jon Davies
>            Priority: Major
>
> The Airflow Executor needs to ship with an example policy, something like:
> {code:java}
> kind: Role
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
>   name: pod-reader
> rules:
> - apiGroups: [""] # "" indicates the core API group
>   resources: ["pods"]
>   verbs: ["create", "delete", "get", "watch", "list"]
> ---
> # This role binding allows "default" to read pods in the "testing-airflow" 
> namespace.
> kind: RoleBinding
> apiVersion: rbac.authorization.k8s.io/v1
> metadata:
>   name: read-pods
> subjects:
> - kind: ServiceAccount
>   name: default # Name is case sensitive
> roleRef:
>   kind: Role #this must be Role or ClusterRole
>   name: pod-reader # this must match the name of the Role or ClusterRole you 
> wish to bind to
>   apiGroup: rbac.authorization.k8s.io
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to