[airflow] branch master updated: Update KubeExecutor pod templates to allow access to IAM permissions (#15669)

Thu, 06 May 2021 01:40:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

ash pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/master by this push:
     new 1024c92  Update KubeExecutor pod templates to allow access to IAM 
permissions (#15669)
1024c92 is described below

commit 1024c922e603bb2e9d7de279761724609e4b4059
Author: Ash Berlin-Taylor <ash_git...@firemirror.com>
AuthorDate: Thu May 6 09:39:31 2021 +0100

    Update KubeExecutor pod templates to allow access to IAM permissions 
(#15669)
    
    If AWS's Identity-based IAM policies are in use on the cluster they
    token file will be mounted in to the pod (via the service account) and,
    prior to this change, will be owned by root.
    
    Specifying `fsGroup` makes the file group-readable by the `airflow`
    user.
    
    We already specify this in our helm chart, so this change is just for
    anyone looking at the docs.
---
 .../kubernetes/pod_template_file_examples/dags_in_image_template.yaml    | 1 +
 .../kubernetes/pod_template_file_examples/dags_in_volume_template.yaml   | 1 +
 airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml     | 1 +
 3 files changed, 3 insertions(+)

diff --git 
a/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml 
b/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
index 686d1d1..27a7e96 100644
--- a/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
@@ -65,6 +65,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:
diff --git 
a/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml 
b/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
index cf2daec..a290cf5 100644
--- a/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
@@ -62,6 +62,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:
diff --git 
a/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml 
b/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
index dee6a08..05d3609 100644
--- a/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
+++ b/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
@@ -86,6 +86,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:

Reply via email to