Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update charts to follow Helm RBAC best practices #11769

Closed
wants to merge 6 commits into from
Closed

Update charts to follow Helm RBAC best practices #11769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8cb8f3b
Use rbac.create Helm best practice
jaydesl Oct 23, 2020
3b6103f
Enable serviceAccount creation per component
jaydesl Oct 23, 2020
7a9a466
Add conditional to webserver SA creation
jaydesl Oct 23, 2020
87e521b
Use ServiceAccount name if given
jaydesl Nov 2, 2020
6327db4
Add RBAC unit tests
jaydesl Nov 2, 2020
cf6ad9d
Nest serviceAccountAnnotations in new SA object
jaydesl Nov 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions chart/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ The following tables lists the configurable parameters of the Airflow chart and
| `ingress.flower.*` | Configs for the Ingress of the flower Service | Please refer to `values.yaml` |
| `networkPolicies.enabled` | Enable Network Policies to restrict traffic | `true` |
| `airflowHome` | Location of airflow home directory | `/opt/airflow` |
| `rbacEnabled` | Deploy pods with Kubernetes RBAC enabled | `true` |
| `rbac.create` | Deploy pods with Kubernetes RBAC enabled | `true` |
| `executor` | Airflow executor (eg SequentialExecutor, LocalExecutor, CeleryExecutor, KubernetesExecutor) | `KubernetesExecutor` |
| `allowPodLaunching` | Allow airflow pods to talk to Kubernetes API to launch more pods | `true` |
| `defaultAirflowRepository` | Fallback docker repository to pull airflow image from | `apache/airflow` |
Expand Down Expand Up @@ -171,6 +171,9 @@ The following tables lists the configurable parameters of the Airflow chart and
| `kerberos.reinitFrequency` | Frequency of reinitialization of the Kerberos token | `3600` |
| `kerberos.config` | Content of the configuration file for kerberos (might be templated using Helm templates) | `<see values.yaml>` |
| `workers.replicas` | Replica count for Celery workers (if applicable) | `1` |
| `workers.serviceAccount.create` | Create ServiceAccount for workers | `true` |
| `workers.serviceAccount.name` | Name of ServiceAccount. If not set and create is true, a name is generated using the release name. | `~` |
| `workers.serviceAccount.annotations` | Annotations to add to worker kubernetes service account | `{}` |
| `workers.keda.enabled` | Enable KEDA autoscaling features | `false` |
| `workers.keda.pollingInverval` | How often KEDA should poll the backend database for metrics in seconds | `5` |
| `workers.keda.cooldownPeriod` | How often KEDA should wait before scaling down in seconds | `30` |
Expand All @@ -185,19 +188,20 @@ The following tables lists the configurable parameters of the Airflow chart and
| `workers.resources.requests.memory` | Memory Request of workers | `~` |
| `workers.terminationGracePeriodSeconds` | How long Kubernetes should wait for Celery workers to gracefully drain before force killing | `600` |
| `workers.safeToEvict` | Allow Kubernetes to evict worker pods if needed (node downscaling) | `true` |
| `workers.serviceAccountAnnotations` | Annotations to add to worker kubernetes service account | `{}` |
| `workers.extraVolumes` | Mount additional volumes into worker | `[]` |
| `workers.extraVolumeMounts` | Mount additional volumes into worker | `[]` |
| `scheduler.podDisruptionBudget.enabled` | Enable PDB on Airflow scheduler | `false` |
| `scheduler.podDisruptionBudget.config.maxUnavailable` | MaxUnavailable pods for scheduler | `1` |
| `scheduler.replicas` | # of parallel schedulers (Airflow 2.0 using Mysql 8+ or Postgres only) | `1` |
| `scheduler.serviceAccount.create` | Create ServiceAccount for scheduler | `true` |
| `scheduler.serviceAccount.name` | Name of ServiceAccount. If not set and create is true, a name is generated using the release name. | `~` |
| `scheduler.serviceAccount.annotations` | Annotations to add to scheduler kubernetes service account | `{}` |
| `scheduler.resources.limits.cpu` | CPU Limit of scheduler | `~` |
| `scheduler.resources.limits.memory` | Memory Limit of scheduler | `~` |
| `scheduler.resources.requests.cpu` | CPU Request of scheduler | `~` |
| `scheduler.resources.requests.memory` | Memory Request of scheduler | `~` |
| `scheduler.airflowLocalSettings` | Custom Airflow local settings python file | `~` |
| `scheduler.safeToEvict` | Allow Kubernetes to evict scheduler pods if needed (node downscaling) | `true` |
| `scheduler.serviceAccountAnnotations` | Annotations to add to scheduler kubernetes service account | `{}` |
| `scheduler.extraVolumes` | Mount additional volumes into scheduler | `[]` |
| `scheduler.extraVolumeMounts` | Mount additional volumes into scheduler | `[]` |
| `webserver.livenessProbe.initialDelaySeconds` | Webserver LivenessProbe initial delay | `15` |
Expand All @@ -209,6 +213,9 @@ The following tables lists the configurable parameters of the Airflow chart and
| `webserver.readinessProbe.failureThreshold` | Webserver ReadinessProbe failure threshold | `20` |
| `webserver.readinessProbe.periodSeconds` | Webserver ReadinessProbe period seconds | `5` |
| `webserver.replicas` | How many Airflow webserver replicas should run | `1` |
| `webserver.serviceAccount.create` | Create ServiceAccount for webserver | `true` |
| `webserver.serviceAccount.name` | Name of ServiceAccount. If not set and create is true, a name is generated using the release name. | `~` |
| `webserver.serviceAccount.annotations` | Annotations to add to webserver kubernetes service account | `{}` |
| `webserver.resources.limits.cpu` | CPU Limit of webserver | `~` |
| `webserver.resources.limits.memory` | Memory Limit of webserver | `~` |
| `webserver.resources.requests.cpu` | CPU Request of webserver | `~` |
Expand Down
2 changes: 1 addition & 1 deletion chart/files/pod-template-file.kubernetes-helm-yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ spec:
{{ toYaml .Values.affinity | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
serviceAccountName: '{{ .Release.Name }}-worker'
serviceAccountName: {{ default (printf "%s-worker" .Release.Name) .Values.workers.serviceAccount.name }}
volumes:
{{- if .Values.dags.persistence.enabled }}
- name: dags
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/cleanup/cleanup-cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ spec:
{{ toYaml .Values.affinity | indent 12 }}
tolerations:
{{ toYaml .Values.tolerations | indent 12 }}
serviceAccountName: {{ .Release.Name }}-cleanup
serviceAccountName: {{ default (printf "%s-cleanup" .Release.Name) .Values.cleanup.serviceAccount.name }}
{{- if or .Values.registry.secretName .Values.registry.connection }}
imagePullSecrets:
- name: {{ template "registry_secret" . }}
Expand Down
4 changes: 2 additions & 2 deletions chart/templates/cleanup/cleanup-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@
################################
## Airflow Cleanup ServiceAccount
#################################
{{- if and .Values.rbacEnabled .Values.cleanup.enabled }}
{{- if and .Values.cleanup.serviceAccount.create .Values.cleanup.enabled }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ .Release.Name }}-cleanup
name: {{ default (printf "%s-cleanup" .Release.Name) .Values.cleanup.serviceAccount.name }}
labels:
tier: airflow
release: {{ .Release.Name }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/rbac/pod-cleanup-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
################################
## Airflow Cleanup Role
#################################
{{- if and .Values.rbacEnabled .Values.cleanup.enabled }}
{{- if and .Values.rbac.create .Values.cleanup.enabled }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down
4 changes: 2 additions & 2 deletions chart/templates/rbac/pod-cleanup-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
################################
## Airflow Cleanup Role Binding
#################################
{{- if and .Values.rbacEnabled .Values.cleanup.enabled }}
{{- if and .Values.rbac.create .Values.cleanup.enabled }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand All @@ -37,6 +37,6 @@ roleRef:
name: {{ .Release.Name }}-cleanup-role
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-cleanup
name: {{ default (printf "%s-cleanup" .Release.Name) .Values.cleanup.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end }}
2 changes: 1 addition & 1 deletion chart/templates/rbac/pod-launcher-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
################################
## Airflow Pod Launcher Role
#################################
{{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
{{- if and .Values.rbac.create .Values.allowPodLaunching }}
{{- if .Values.multiNamespaceMode }}
kind: ClusterRole
{{- else }}
Expand Down
6 changes: 3 additions & 3 deletions chart/templates/rbac/pod-launcher-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
################################
## Airflow Pod Launcher Role Binding
#################################
{{- if and .Values.rbacEnabled .Values.allowPodLaunching }}
{{- if and .Values.rbac.create .Values.allowPodLaunching }}
{{- $grantScheduler := or (eq .Values.executor "LocalExecutor") (eq .Values.executor "SequentialExecutor") (eq .Values.executor "KubernetesExecutor") (eq .Values.executor "CeleryKubernetesExecutor")}}
{{- $grantWorker := or (eq .Values.executor "CeleryExecutor") (eq .Values.executor "KubernetesExecutor") (eq .Values.executor "CeleryKubernetesExecutor") }}
{{- if .Values.multiNamespaceMode }}
Expand Down Expand Up @@ -51,12 +51,12 @@ roleRef:
subjects:
{{- if $grantScheduler }}
- kind: ServiceAccount
name: {{ .Release.Name }}-scheduler
name: {{ default (printf "%s-scheduler" .Release.Name) .Values.scheduler.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- if $grantWorker }}
- kind: ServiceAccount
name: {{ .Release.Name }}-worker
name: {{ default (printf "%s-worker" .Release.Name) .Values.workers.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion chart/templates/scheduler/scheduler-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ spec:
{{ toYaml .Values.tolerations | indent 8 }}
restartPolicy: Always
terminationGracePeriodSeconds: 10
serviceAccountName: {{ .Release.Name }}-scheduler
serviceAccountName: {{ default (printf "%s-scheduler" .Release.Name) .Values.scheduler.serviceAccount.name }}
securityContext:
runAsUser: {{ .Values.uid }}
fsGroup: {{ .Values.gid }}
Expand Down
6 changes: 3 additions & 3 deletions chart/templates/scheduler/scheduler-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@
################################
## Airflow Scheduler ServiceAccount
#################################
{{- if .Values.rbacEnabled }}
{{- if .Values.scheduler.serviceAccount.create }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ .Release.Name }}-scheduler
name: {{ default (printf "%s-scheduler" .Release.Name) .Values.scheduler.serviceAccount.name }}
labels:
tier: airflow
release: {{ .Release.Name }}
Expand All @@ -31,7 +31,7 @@ metadata:
{{- with .Values.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.scheduler.serviceAccountAnnotations }}
{{- with .Values.scheduler.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/webserver/webserver-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ spec:
{{- toYaml .Values.airflowPodAnnotations | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ .Release.Name }}-webserver
serviceAccountName: {{ default (printf "%s-webserver" .Release.Name) .Values.webserver.serviceAccount.name }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
affinity:
Expand Down
6 changes: 4 additions & 2 deletions chart/templates/webserver/webserver-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@
######################################
## Airflow Webserver ServiceAccount
######################################
{{- if .Values.webserver.serviceAccount.create }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ .Release.Name }}-webserver
name: {{ default (printf "%s-webserver" .Release.Name) .Values.webserver.serviceAccount.name }}
labels:
tier: airflow
release: {{ .Release.Name }}
Expand All @@ -30,7 +31,8 @@ metadata:
{{- with .Values.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webserver.serviceAccountAnnotations }}
{{- with .Values.webserver.serviceAccount.annotations }}
annotations:
{{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion chart/templates/workers/worker-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ spec:
{{ toYaml .Values.tolerations | indent 8 }}
terminationGracePeriodSeconds: {{ .Values.workers.terminationGracePeriodSeconds }}
restartPolicy: Always
serviceAccountName: {{ .Release.Name }}-worker
serviceAccountName: {{ default (printf "%s-worker" .Release.Name) .Values.workers.serviceAccount.name }}
securityContext:
runAsUser: {{ .Values.uid }}
fsGroup: {{ .Values.gid }}
Expand Down
6 changes: 3 additions & 3 deletions chart/templates/workers/worker-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@
################################
## Airflow Worker ServiceAccount
#################################
{{- if .Values.rbacEnabled }}
{{- if .Values.workers.serviceAccount.create }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ .Release.Name }}-worker
name: {{ default (printf "%s-worker" .Release.Name) .Values.workers.serviceAccount.name }}
labels:
tier: airflow
release: {{ .Release.Name }}
Expand All @@ -31,7 +31,7 @@ metadata:
{{- with .Values.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.workers.serviceAccountAnnotations}}
{{- with .Values.workers.serviceAccount.annotations}}
annotations:
{{ toYaml . | nindent 4 }}
{{- end }}
Expand Down
Loading