mwojtyczka commented on code in PR #63704:
URL: https://github.com/apache/airflow/pull/63704#discussion_r2939297943
##########
providers/databricks/src/airflow/providers/databricks/hooks/databricks_base.py:
##########
@@ -696,7 +698,7 @@ def _get_k8s_token_request_api(self) -> str:
"Content-Type": "application/json",
},
json=self._build_k8s_token_request_payload(audience,
expiration_seconds),
- verify=False, # K8s in-cluster uses self-signed certs
+ verify=K8S_CA_CERT_PATH,
Review Comment:
Technically yes for non-standard setups — but not for anyone running a
conformant Kubernetes cluster. This is a security fix that enforces what should
always have been the behaviour.
The CA bundle at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` is
automatically mounted in every pod by the Kubernetes API server as part of the
[service account token
projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting).
This is true for EKS, AKS, GKE, and vanilla Kubernetes.
Where it could break: Non-conformant or highly custom distributions that
don't mount ca.crt at the standard path.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
