From 9eb430566bf9a7620d39c14c61e561ed92ff54c5 Mon Sep 17 00:00:00 2001
From: Rick Bartra <rb560u@att.com>
Date: Thu, 27 Sep 2018 14:46:54 -0400
Subject: [PATCH] Make airflow-worker containers non-privileged

The 'airflow-worker' and 'airflow-logrotate' containers do not need to
run as privileged containers to perform their jobs. Shipyard deploy_site
action was used to test the 'airflow-worker' as a deploy_site invokes
'airflow-worker'. When performing deploy_site action, all steps succeeded
and the 'airflow-worker' shows no errors when 'airflow-worker' is
non-privileged.

When 'airflow-logrotate' runs as non-privileged, the 'airflow-logrotate'
container still logs correctly and is able to delete/rotate logs without
problems.

Note: Making airflow-worker run with non-privileged containers means that
these containers will use the docker-default apparmor profile by default.

Change-Id: I26eda3eb8b7a36e67c2e7b593326f1d063600fc3
---
 charts/shipyard/templates/statefulset-airflow-worker.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml
index da2e7ed4..9cf6c33c 100644
--- a/charts/shipyard/templates/statefulset-airflow-worker.yaml
+++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml
@@ -127,8 +127,6 @@ spec:
           readinessProbe:
             tcpSocket:
               port: {{ .Values.network.airflow.worker.port }}
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: airflow-etc
               mountPath: {{ .Values.conf.airflow_config_file.path }}
@@ -179,8 +177,6 @@ spec:
                 ps -ef | grep 'sleep 3600' | grep -v 'grep'
             initialDelaySeconds: 15
             periodSeconds: 15
-          securityContext:
-            privileged: true
           volumeMounts:
             - name: airflow-logs
               mountPath: {{ .Values.conf.airflow.core.base_log_folder }}