From 4991d8f6ffb08bc5728e8c8590ac367a84060c35 Mon Sep 17 00:00:00 2001
From: Anthony Lin <anthony.jclin@gmail.com>
Date: Tue, 23 Jan 2018 03:05:31 +0000
Subject: [PATCH] Update RBAC rules for Airflow Workers

We are getting the following errors [0] while getting
Airflow worker to execute a health check on the underlying
K8s cluster.

This patch set is meant to grant watch/get/list pods rights
to the airflow worker so that it can perform health checks
on the K8s cluster.

[0] Error messages:

[2018-01-23 02:51:32,003] {base_task_runner.py:98} INFO - Subtask: HTTP response body:

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure",
"message":"pods is forbidden: User \"system:serviceaccount:ucp:airflow-worker\"
cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}

Change-Id: Iede29f605b5d508d0e58c0c2ae74d7d040d5b8ea
---
 .../templates/deployment-airflow-worker.yaml  | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/charts/shipyard/templates/deployment-airflow-worker.yaml b/charts/shipyard/templates/deployment-airflow-worker.yaml
index 20a8e6c5..9412725d 100644
--- a/charts/shipyard/templates/deployment-airflow-worker.yaml
+++ b/charts/shipyard/templates/deployment-airflow-worker.yaml
@@ -15,10 +15,41 @@
 {{- if .Values.manifests.deployment_airflow_worker }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.airflow_server }}
-{{- $serviceAccountName := "airflow-worker" }}
-{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $mounts_airflow_worker := .Values.pod.mounts.airflow_worker.airflow_worker }}
 {{- $mounts_airflow_worker_init := .Values.pod.mounts.airflow_worker.init_container }}
+{{- $serviceAccountName := "airflow-worker" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: airflow-worker-runner
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: run-airflow-worker
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: airflow-worker-runner
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1beta1
 kind: Deployment