[GitHub] [airflow] jedcunningham commented on a change in pull request #18249: Add support for securityContext per deployment

GitBox Wed, 03 Nov 2021 17:35:23 -0700


jedcunningham commented on a change in pull request #18249:
URL: https://github.com/apache/airflow/pull/18249#discussion_r742089969




##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to UID in the local node
   ```

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node
+*/}}
+{{- define "localSecurityContext" -}}
+  {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to global uid and gid
   ```

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to global uid and gid
   ```

##########
File path: chart/tests/test_security_context.py
##########
@@ -0,0 +1,189 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import jmespath
+
+from tests.helm_template_generator import render_chart
+
+
+class TestSCBackwardsCompatibility:
+    def test_check_deployments_and_jobs(self):
+        docs = render_chart(
+            values={
+                "uid": 3000,
+                "gid": 30,
+                "webserver": {"defaultUser": {"enabled": True}},
+                "flower": {"enabled": True},
+                "airflowVersion": "2.2.0",
+                "executor": "CeleryKubernetesExecutor",
+            },
+            show_only=[
+                "templates/flower/flower-deployment.yaml",
+                "templates/scheduler/scheduler-deployment.yaml",
+                "templates/triggerer/triggerer-deployment.yaml",
+                "templates/webserver/webserver-deployment.yaml",
+                "templates/workers/worker-deployment.yaml",
+                "templates/jobs/create-user-job.yaml",
+                "templates/jobs/migrate-database-job.yaml",
+            ],
+        )
+
+        assert 3000 == 
jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+        assert 30 == 
jmespath.search("spec.template.spec.securityContext.fsGroup", docs[0])

Review comment:
       ```suggestion
           for doc in docs:
               assert 3000 == 
jmespath.search("spec.template.spec.securityContext.runAsUser", doc)
               assert 30 == 
jmespath.search("spec.template.spec.securityContext.fsGroup", doc)
   ```
   
   Sorry, my last set of suggestions may not have been clear. For the tests 
where we do have more than 1 doc (e.g. more than 1 template in `show_only` in 
this case), we should check them all.

##########
File path: chart/templates/workers/worker-deployment.yaml
##########
@@ -111,7 +110,7 @@ spec:
           command:
             - chown
             - -R
-            - "{{ .Values.uid }}:{{ .Values.gid }}"
+            - "{{ include "globalSecurityContextIds" (list . .Values.workers) 
}}"

Review comment:
       I'd wondering if we'd be better off doing something like this instead 
(untested, but you get the idea):
   
   `bash -c 'exec chown -R $(id -u):$(id -g) {{ template "airflow_logs" . }}`
   
   Then `chown` can just use the uid/gid it's running as instead of being 
configured explicitly.

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node
+*/}}
+{{- define "localSecurityContext" -}}
+  {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContextIds" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ pluck "runAsUser" .securityContext | first }}:{{ pluck "fsGroup" 
.securityContext | first }}

Review comment:
       Does this work if only `securityContext.runAsUser` is set?

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to UID in the local node
   ```

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node
+*/}}
+{{- define "localSecurityContext" -}}
+  {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to global uid and gid
   ```

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid

Review comment:
       ```suggestion
   If no value is passed for securityContext or <node>.securityContext, 
defaults to global uid and gid
   ```

##########
File path: chart/tests/test_security_context.py
##########
@@ -0,0 +1,189 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import jmespath
+
+from tests.helm_template_generator import render_chart
+
+
+class TestSCBackwardsCompatibility:
+    def test_check_deployments_and_jobs(self):
+        docs = render_chart(
+            values={
+                "uid": 3000,
+                "gid": 30,
+                "webserver": {"defaultUser": {"enabled": True}},
+                "flower": {"enabled": True},
+                "airflowVersion": "2.2.0",
+                "executor": "CeleryKubernetesExecutor",
+            },
+            show_only=[
+                "templates/flower/flower-deployment.yaml",
+                "templates/scheduler/scheduler-deployment.yaml",
+                "templates/triggerer/triggerer-deployment.yaml",
+                "templates/webserver/webserver-deployment.yaml",
+                "templates/workers/worker-deployment.yaml",
+                "templates/jobs/create-user-job.yaml",
+                "templates/jobs/migrate-database-job.yaml",
+            ],
+        )
+
+        assert 3000 == 
jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
+        assert 30 == 
jmespath.search("spec.template.spec.securityContext.fsGroup", docs[0])

Review comment:
       ```suggestion
           for doc in docs:
               assert 3000 == 
jmespath.search("spec.template.spec.securityContext.runAsUser", doc)
               assert 30 == 
jmespath.search("spec.template.spec.securityContext.fsGroup", doc)
   ```
   
   Sorry, my last set of suggestions may not have been clear. For the tests 
where we do have more than 1 doc (e.g. more than 1 template in `show_only` in 
this case), we should check them all.

##########
File path: chart/templates/workers/worker-deployment.yaml
##########
@@ -111,7 +110,7 @@ spec:
           command:
             - chown
             - -R
-            - "{{ .Values.uid }}:{{ .Values.gid }}"
+            - "{{ include "globalSecurityContextIds" (list . .Values.workers) 
}}"

Review comment:
       I'd wondering if we'd be better off doing something like this instead 
(untested, but you get the idea):
   
   `bash -c 'exec chown -R $(id -u):$(id -g) {{ template "airflow_logs" . }}`
   
   Then `chown` can just use the uid/gid it's running as instead of being 
configured explicitly.

##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +609,50 @@ Create the name of the cleanup service account to use
   {{- end -}}
   {{- $kubeVersion -}}
 {{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContext" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+    {{- else if $.Values.securityContext -}}
+{{ toYaml $.Values.securityContext | print }}
+    {{- else -}}
+runAsUser: {{ $.Values.uid }}
+fsGroup: {{ $.Values.gid }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for securityContext
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to UID in the local node
+*/}}
+{{- define "localSecurityContext" -}}
+  {{- if .securityContext -}}
+{{ toYaml .securityContext | print }}
+  {{- else -}}
+runAsUser: {{ .uid }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Set the default value for workers chown for persistent storage
+If no value is passed for secirityCpntext or <node>.securityContext, defaults 
to global uid and gid
+*/}}
+{{- define "globalSecurityContextIds" -}}
+  {{- $ := index . 0 -}}
+  {{- with index . 1 }}
+    {{- if .securityContext -}}
+{{ pluck "runAsUser" .securityContext | first }}:{{ pluck "fsGroup" 
.securityContext | first }}

Review comment:
       Does this work if only `securityContext.runAsUser` is set?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [airflow] jedcunningham commented on a change in pull request #18249: Add support for securityContext per deployment

Reply via email to