[I] Global Container Security Context does not work for Git Sync container [airflow]

Wed, 01 Nov 2023 07:58:08 -0700 


ahipp13 opened a new issue, #35350:
URL: https://github.com/apache/airflow/issues/35350

   ### Official Helm Chart version
   
   1.10.0
   
   ### Apache Airflow version
   
   2.6.3
   
   ### Kubernetes Version
   
   1.26.5
   
   ### Helm Chart configuration
   
   _No response_
   
   ### Docker Image customizations
   
   _No response_
   
   ### What happened
   
   Idk if this is the intended way this should work, but when I set the global 
containerSecurityContext like:
   
   # Detailed default security context for airflow deployments
   securityContexts:
     pod:
       runAsUser: 50000
       runAsGroup: 50000
       fsGroup: 50000
     containers:
       capabilities:
         drop:
           - KILL
           - MKNOD
           - SYS_CHROOT
           
    This does not apply to the "git sync" container. In order for me to get it 
to apply to the git sync container, I also have to set these in the 
"dags.gitSync" section like:
    
        securityContexts:
         container:
           capabilities:
             drop:
               - KILL
               - MKNOD
               - SYS_CHROOT
   
   ### What you think should happen instead
   
   When you set a global container security context, it should also apply to 
the git sync container
   
   ### How to reproduce
   
   The cluster I deploy to requires some container security context settings, 
so for me to reproduce I just set the global container security context and try 
to deploy, and if it won't let me deploy I look in the logs and it will say the 
git sync container does not have the required container security context.
   
   ### Anything else
   
   I looked through the 1.11.0 helm chart release notes and did not see this 
was fixed. Also I do not know if this is the intended way this is supposed to 
work. Just wanted to bring it to light!
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to