Browse Source

Make airflow-worker containers non-privileged

The 'airflow-worker' and 'airflow-logrotate' containers do not need to
run as privileged containers to perform their jobs. Shipyard deploy_site
action was used to test the 'airflow-worker' as a deploy_site invokes
'airflow-worker'. When performing deploy_site action, all steps succeeded
and the 'airflow-worker' shows no errors when 'airflow-worker' is
non-privileged.

When 'airflow-logrotate' runs as non-privileged, the 'airflow-logrotate'
container still logs correctly and is able to delete/rotate logs without
problems.

Note: Making airflow-worker run with non-privileged containers means that
these containers will use the docker-default apparmor profile by default.

Change-Id: I26eda3eb8b7a36e67c2e7b593326f1d063600fc3
changes/45/605845/1
Rick Bartra 3 years ago
parent
commit
9eb430566b
  1. 4
      charts/shipyard/templates/statefulset-airflow-worker.yaml

4
charts/shipyard/templates/statefulset-airflow-worker.yaml

@ -127,8 +127,6 @@ spec:
readinessProbe:
tcpSocket:
port: {{ .Values.network.airflow.worker.port }}
securityContext:
privileged: true
volumeMounts:
- name: airflow-etc
mountPath: {{ .Values.conf.airflow_config_file.path }}
@ -179,8 +177,6 @@ spec:
ps -ef | grep 'sleep 3600' | grep -v 'grep'
initialDelaySeconds: 15
periodSeconds: 15
securityContext:
privileged: true
volumeMounts:
- name: airflow-logs
mountPath: {{ .Values.conf.airflow.core.base_log_folder }}

Loading…
Cancel
Save