airflow-helm · thesuperzapper · May 1, 2024 · Jul 11, 2022 · Jul 11, 2022 · Apr 29, 2024
@@ -206,6 +206,7 @@ Parameter | Description | Default
 `airflow.defaultAffinity` | default affinity configs for airflow Pods (is overridden by pod-specific values) | `{}`
 `airflow.defaultTolerations` | default toleration configs for airflow Pods (is overridden by pod-specific values) | `[]`
 `airflow.defaultSecurityContext` | default securityContext configs for Pods (is overridden by pod-specific values) | `{fsGroup: 0}`
+`airflow.defaultContainerSecurityContext` | default securityContext for Containers in airflow Pods | `{}`
 `airflow.podAnnotations` | extra annotations for airflow Pods | `{}`
 `airflow.extraPipPackages` | extra pip packages to install in airflow Pods | `[]`
 `airflow.protectedPipPackages` | pip packages that are protected from upgrade/downgrade by `extraPipPackages` | `["apache-airflow"]`

@@ -7,6 +7,9 @@ imagePullPolicy: {{ .Values.airflow.image.pullPolicy }}
 securityContext:
   runAsUser: {{ .Values.airflow.image.uid }}
   runAsGroup: {{ .Values.airflow.image.gid }}
+  {{- if .Values.airflow.defaultContainerSecurityContext }}
+  {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 2 }}
+  {{- end }}
 {{- end }}
 
 {{/*
@@ -199,6 +202,9 @@ EXAMPLE USAGE: {{ include "airflow.container.git_sync" (dict "Release" .Release
   securityContext:
     runAsUser: {{ .Values.dags.gitSync.image.uid }}
     runAsGroup: {{ .Values.dags.gitSync.image.gid }}
+    {{- if .Values.airflow.defaultContainerSecurityContext }}
+    {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 4 }}
+    {{- end }}
   resources:
     {{- toYaml .Values.dags.gitSync.resources | nindent 4 }}
   envFrom:

@@ -84,6 +84,9 @@ spec:
           securityContext:
             runAsUser: {{ .Values.pgbouncer.image.uid }}
             runAsGroup: {{ .Values.pgbouncer.image.gid }}
+            {{- if .Values.airflow.defaultContainerSecurityContext }}
+            {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.pgbouncer.resources | nindent 12 }}
           envFrom:

@@ -197,6 +197,14 @@ airflow:
     ## this does NOT give root permissions to Pods, only the "root" group
     fsGroup: 0
 
+  ## default securityContext for Containers in airflow Pods
+  ## - spec for SecurityContext:
+  ##   https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#securitycontext-v1-core
+  ## - `runAsUser` is ignored, please set with per-image `*.image.uid`
+  ## - `runAsGroup` is ignored, please set with per-image `*.image.gid`
+  ##
+  defaultContainerSecurityContext: {}
+
   ## extra annotations for airflow Pods
   ##
   podAnnotations: {}
@@ -2029,7 +2037,7 @@ redis:
       ## the access mode of the PVC
       ##
       accessModes:
-      - ReadWriteOnce
+        - ReadWriteOnce
 
       ## the size of PVC to request
       ##