Update RBAC rules for Airflow Workers

We are getting the following errors [0] while getting Airflow worker to execute a health check on the underlying K8s cluster. This patch set is meant to grant watch/get/list pods rights to the airflow worker so that it can perform health checks on the K8s cluster. [0] Error messages: [2018-01-23 02:51:32,003] {base_task_runner.py:98} INFO - Subtask: HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure", "message":"pods is forbidden: User \"system:serviceaccount:ucp:airflow-worker\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403} Change-Id: Iede29f605b5d508d0e58c0c2ae74d7d040d5b8ea
2018-01-23 03:05:31 +00:00 · 2018-01-23 03:05:31 +00:00 · 4991d8f6ff
parent 95784c03ed
commit 4991d8f6ff
1 changed files with 33 additions and 2 deletions
--- a/charts/shipyard/templates/deployment-airflow-worker.yaml
+++ b/charts/shipyard/templates/deployment-airflow-worker.yaml
@ -15,10 +15,41 @@
 {{- if .Values.manifests.deployment_airflow_worker }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
-{{- $serviceAccountName := "airflow-worker" }}
-{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_worker := .Values.pod.mounts.airflow_worker.airflow_worker }}
 {{- $mounts_airflow_worker_init := .Values.pod.mounts.airflow_worker.init_container }}
+{{- $serviceAccountName := "airflow-worker" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: airflow-worker-runner
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: run-airflow-worker
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: airflow-worker-runner
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1beta1
 kind: Deployment