mikaeld commented on code in PR #24588: URL: https://github.com/apache/airflow/pull/24588#discussion_r1171883530
########## chart/templates/_helpers.yaml: ########## @@ -171,7 +171,7 @@ If release name contains chart name it will be used as a full name. - name: {{ .Values.dags.gitSync.containerName }}{{ if .is_init }}-init{{ end }} image: {{ template "git_sync_image" . }} imagePullPolicy: {{ .Values.images.gitSync.pullPolicy }} - securityContext: {{- include "localSecurityContext" .Values.dags.gitSync | nindent 4 }} + securityContext: {{ include "localPodSecurityContext" .Values.dags.gitSync | nindent 4 }} Review Comment: ```suggestion securityContext: {{ include "containerSecurityContext" (list . .Values.dags.gitSync) | nindent 4 }} ``` Other changes required :point_down: ### values.yaml ```yaml dags: # [...] gitSync: # [...] securityContexts: container: {} ``` and the equivalent schema in ### values.schemas.json ```json "dags": { "description": "DAGs settings.", "type": "object", "x-docsSection": "Airflow", "additionalProperties": false, "properties": { [...] "gitSync": { "description": "Git sync settings.", "type": "object", "additionalProperties": false, "properties": { [...] "securityContexts": { "description": "Security context definition for the git sync sidecar. If not set, the values from global `securityContexts` will be used.", "type": "object", "x-docsSection": "Kubernetes", "properties": { "container": { "description": "Container security context definition for the git sync sidecar.", "type": "object", "$ref": "#/definitions/io.k8s.api.core.v1.SecurityContext", "default": {}, "x-docsSection": "Kubernetes", "examples": [ { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] } } ] } } }, ``` ########## chart/templates/_helpers.yaml: ########## @@ -729,85 +729,125 @@ server_tls_key_file = /etc/pgbouncer/server.key {{- end }} {{/* -Set the default value for securityContext -If no value is passed for securityContext or <node>.securityContext, defaults to global uid and gid. +Set the default value for pod securityContext +If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid. - +------------------------+ +-----------------+ +-------------------------+ - | <node>.securityContext | -> | securityContext | -> | Values.uid + Values.gid | - +------------------------+ +-----------------+ +-------------------------+ + +-----------------------------+ +------------------------+ +----------------------+ +-----------------+ +-------------------------+ + | <node>.securityContexts.pod | -> | <node>.securityContext | -> | securityContexts.pod | -> | securityContext | -> | Values.uid + Values.gid | + +-----------------------------+ +------------------------+ +----------------------+ +-----------------+ +-------------------------+ -Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContext, +Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod, any extra values set to securityContext or uid+gid will be ignored. The template can be called like so: - include "airflowSecurityContext" (list . .Values.webserver) + include "airflowPodSecurityContext" (list . .Values.webserver) Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template. */}} -{{- define "airflowSecurityContext" -}} - {{- $ := index . 0 }} +{{- define "airflowPodSecurityContext" -}} + {{- $ := index . 0 -}} {{- with index . 1 }} - {{- if .securityContext }} - {{- toYaml .securityContext }} - {{- else if $.Values.securityContext }} - {{- toYaml $.Values.securityContext }} - {{- else }} + {{- if .securityContexts.pod -}} +{{ toYaml .securityContexts.pod | print }} + {{- else if .securityContext -}} +{{ toYaml .securityContext | print }} + {{- else if $.Values.securityContexts.pod -}} +{{ toYaml $.Values.securityContexts.pod | print }} + {{- else if $.Values.securityContext -}} +{{ toYaml $.Values.securityContext | print }} + {{- else -}} runAsUser: {{ $.Values.uid }} fsGroup: {{ $.Values.gid }} {{- end }} {{- end }} {{- end }} {{/* -Set the default value for securityContext -If no value is passed for securityContext or <node>.securityContext, defaults to UID in the local node. +Set the default value for pod securityContext +If no value is passed for <node>.securityContexts.pod or <node>.securityContext, defaults to UID in the local node. - +------------------------+ +-------------+ - | <node>.securityContext | > | <node>.uid | - +------------------------+ +-------------+ + +-----------------------------+ +------------------------+ +-------------+ + | <node>.securityContexts.pod | -> | <node>.securityContext | -> | <node>.uid | + +-----------------------------+ +------------------------+ +-------------+ The template can be called like so: - include "localSecurityContext" .Values.statsd + include "localPodSecurityContext" (list . .Values.schedule) It is important to pass the local variables scope to this template as it is used to determine the local node value for uid. */}} -{{- define "localSecurityContext" -}} - {{- if .securityContext }} - {{- toYaml .securityContext }} - {{- else }} - {{- printf "runAsUser: %v" .uid }} - {{- end }} -{{- end }} +{{- define "localPodSecurityContext" -}} + {{- if .securityContexts.pod -}} +{{ toYaml .securityContexts.pod | print }} + {{- else if .securityContext -}} +{{ toYaml .securityContext | print }} + {{- else -}} +runAsUser: {{ .uid }} + {{- end -}} +{{- end -}} {{/* Set the default value for workers chown for persistent storage -If no value is passed for securityContext or <node>.securityContext, defaults to global uid and gid. +If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid. The template looks for `runAsUser` and `fsGroup` specifically, any other parameter will be ignored. - +------------------------+ +-----------------+ +-------------------------+ - | <node>.securityContext | -> | securityContext | -> | Values.uid + Values.gid | - +------------------------+ +-----------------+ +-------------------------+ + +-----------------------------+ +----------------------------------------------------+ +------------------+ +-------------------------+ + | <node>.securityContexts.pod | -> | securityContexts.pod | <node>.securityContexts.pod | -> | securityContexts | -> | Values.uid + Values.gid | + +-----------------------------+ +----------------------------------------------------+ +------------------+ +-------------------------+ -Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContext, -any extra values set to securityContext or uid+gid will be ignored. +Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod, +any extra values set to securityContexts or uid+gid will be ignored. The template can be called like so: - include "airflowSecurityContextIds" (list . .Values.workers) + include "airflowPodSecurityContextsIds" (list . .Values.webserver) Where `.` is the global variables scope and `.Values.workers` the local variables scope for the workers template. */}} -{{- define "airflowSecurityContextIds" -}} - {{- $ := index . 0 }} +{{- define "airflowPodSecurityContextsIds" -}} + {{- $ := index . 0 -}} {{- with index . 1 }} - {{- if .securityContext }} - {{- pluck "runAsUser" .securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContext | first | default $.Values.gid }} - {{- else if $.Values.securityContext }} - {{- pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} - {{- else }} - {{- printf "%s:%s" $.Values.uid $.Values.gid }} - {{- end }} - {{- end }} -{{- end }} + {{- if .securityContexts.pod -}} +{{ pluck "runAsUser" .securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContexts.pod | first | default $.Values.gid }} + {{- else if $.Values.securityContext -}} +{{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} + {{- else if $.Values.securityContexts.pod -}} +{{ pluck "runAsUser" $.Values.securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContexts.pod | first | default $.Values.gid }} + {{- else if $.Values.securityContext -}} +{{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} + {{- else -}} +{{ $.Values.uid }}:{{ $.Values.gid }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Set the default value for container securityContext +If no value is passed for securityContexts.container or <node>.securityContexts.container, defaults to deny privileges escallation and dropping all POSIX capabilities. + + +-----------------------------------+ +----------------------------+ +-----------------------------------------------------------+ + | <node>.securityContexts.container | -> | securityContexts.container | -> | allowPrivilegesEscalation: false, capabilities.drop: [ALL]| Review Comment: ```suggestion | <node>.securityContexts.container | -> | securityContexts.containers | -> | allowPrivilegesEscalation: false, capabilities.drop: [ALL]| ``` Global container security contexts for containers is `securityContexts.containers` and not `securityContexts.container` ########## chart/templates/_helpers.yaml: ########## @@ -729,85 +729,125 @@ server_tls_key_file = /etc/pgbouncer/server.key {{- end }} {{/* -Set the default value for securityContext -If no value is passed for securityContext or <node>.securityContext, defaults to global uid and gid. +Set the default value for pod securityContext +If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid. - +------------------------+ +-----------------+ +-------------------------+ - | <node>.securityContext | -> | securityContext | -> | Values.uid + Values.gid | - +------------------------+ +-----------------+ +-------------------------+ + +-----------------------------+ +------------------------+ +----------------------+ +-----------------+ +-------------------------+ + | <node>.securityContexts.pod | -> | <node>.securityContext | -> | securityContexts.pod | -> | securityContext | -> | Values.uid + Values.gid | + +-----------------------------+ +------------------------+ +----------------------+ +-----------------+ +-------------------------+ -Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContext, +Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod, any extra values set to securityContext or uid+gid will be ignored. The template can be called like so: - include "airflowSecurityContext" (list . .Values.webserver) + include "airflowPodSecurityContext" (list . .Values.webserver) Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template. */}} -{{- define "airflowSecurityContext" -}} - {{- $ := index . 0 }} +{{- define "airflowPodSecurityContext" -}} + {{- $ := index . 0 -}} {{- with index . 1 }} - {{- if .securityContext }} - {{- toYaml .securityContext }} - {{- else if $.Values.securityContext }} - {{- toYaml $.Values.securityContext }} - {{- else }} + {{- if .securityContexts.pod -}} +{{ toYaml .securityContexts.pod | print }} + {{- else if .securityContext -}} +{{ toYaml .securityContext | print }} + {{- else if $.Values.securityContexts.pod -}} +{{ toYaml $.Values.securityContexts.pod | print }} + {{- else if $.Values.securityContext -}} +{{ toYaml $.Values.securityContext | print }} + {{- else -}} runAsUser: {{ $.Values.uid }} fsGroup: {{ $.Values.gid }} {{- end }} {{- end }} {{- end }} {{/* -Set the default value for securityContext -If no value is passed for securityContext or <node>.securityContext, defaults to UID in the local node. +Set the default value for pod securityContext +If no value is passed for <node>.securityContexts.pod or <node>.securityContext, defaults to UID in the local node. - +------------------------+ +-------------+ - | <node>.securityContext | > | <node>.uid | - +------------------------+ +-------------+ + +-----------------------------+ +------------------------+ +-------------+ + | <node>.securityContexts.pod | -> | <node>.securityContext | -> | <node>.uid | + +-----------------------------+ +------------------------+ +-------------+ The template can be called like so: - include "localSecurityContext" .Values.statsd + include "localPodSecurityContext" (list . .Values.schedule) It is important to pass the local variables scope to this template as it is used to determine the local node value for uid. */}} -{{- define "localSecurityContext" -}} - {{- if .securityContext }} - {{- toYaml .securityContext }} - {{- else }} - {{- printf "runAsUser: %v" .uid }} - {{- end }} -{{- end }} +{{- define "localPodSecurityContext" -}} + {{- if .securityContexts.pod -}} +{{ toYaml .securityContexts.pod | print }} + {{- else if .securityContext -}} +{{ toYaml .securityContext | print }} + {{- else -}} +runAsUser: {{ .uid }} + {{- end -}} +{{- end -}} {{/* Set the default value for workers chown for persistent storage -If no value is passed for securityContext or <node>.securityContext, defaults to global uid and gid. +If no value is passed for securityContexts.pod or <node>.securityContexts.pod or legacy securityContext and <node>.securityContext, defaults to global uid and gid. The template looks for `runAsUser` and `fsGroup` specifically, any other parameter will be ignored. - +------------------------+ +-----------------+ +-------------------------+ - | <node>.securityContext | -> | securityContext | -> | Values.uid + Values.gid | - +------------------------+ +-----------------+ +-------------------------+ + +-----------------------------+ +----------------------------------------------------+ +------------------+ +-------------------------+ + | <node>.securityContexts.pod | -> | securityContexts.pod | <node>.securityContexts.pod | -> | securityContexts | -> | Values.uid + Values.gid | + +-----------------------------+ +----------------------------------------------------+ +------------------+ +-------------------------+ -Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContext, -any extra values set to securityContext or uid+gid will be ignored. +Values are not accumulated meaning that if runAsUser is set to 10 in <node>.securityContexts.pod, +any extra values set to securityContexts or uid+gid will be ignored. The template can be called like so: - include "airflowSecurityContextIds" (list . .Values.workers) + include "airflowPodSecurityContextsIds" (list . .Values.webserver) Where `.` is the global variables scope and `.Values.workers` the local variables scope for the workers template. */}} -{{- define "airflowSecurityContextIds" -}} - {{- $ := index . 0 }} +{{- define "airflowPodSecurityContextsIds" -}} + {{- $ := index . 0 -}} {{- with index . 1 }} - {{- if .securityContext }} - {{- pluck "runAsUser" .securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContext | first | default $.Values.gid }} - {{- else if $.Values.securityContext }} - {{- pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} - {{- else }} - {{- printf "%s:%s" $.Values.uid $.Values.gid }} - {{- end }} - {{- end }} -{{- end }} + {{- if .securityContexts.pod -}} +{{ pluck "runAsUser" .securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" .securityContexts.pod | first | default $.Values.gid }} + {{- else if $.Values.securityContext -}} +{{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} + {{- else if $.Values.securityContexts.pod -}} +{{ pluck "runAsUser" $.Values.securityContexts.pod | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContexts.pod | first | default $.Values.gid }} + {{- else if $.Values.securityContext -}} +{{ pluck "runAsUser" $.Values.securityContext | first | default $.Values.uid }}:{{ pluck "fsGroup" $.Values.securityContext | first | default $.Values.gid }} + {{- else -}} +{{ $.Values.uid }}:{{ $.Values.gid }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Set the default value for container securityContext +If no value is passed for securityContexts.container or <node>.securityContexts.container, defaults to deny privileges escallation and dropping all POSIX capabilities. + + +-----------------------------------+ +----------------------------+ +-----------------------------------------------------------+ + | <node>.securityContexts.container | -> | securityContexts.container | -> | allowPrivilegesEscalation: false, capabilities.drop: [ALL]| + +-----------------------------------+ +----------------------------+ +-----------------------------------------------------------+ + + +The template can be called like so: + include "containerSecurityContext" (list . .Values.statsd) + +Where `.` is the global variables scope and `.Values.webserver` the local variables scope for the webserver template. +*/}} +{{- define "containerSecurityContext" -}} + {{- $ := index . 0 -}} + {{- with index . 1 }} + {{- if .securityContexts.container -}} +{{ toYaml .securityContexts.container | print }} + {{- else if $.Values.securityContexts.container -}} +{{ toYaml $.Values.securityContexts.container | print }} Review Comment: ```suggestion {{- else if $.Values.securityContexts.containers -}} {{ toYaml $.Values.securityContexts.containers | print }} ``` Same thing here, `securityContexts.containers` and not `securityContexts.container` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org