restrict security context enforcement to knada airflow

navikt · Mar 5, 2024 · 60966d2 · 60966d2
1 parent 8d8e9a9
commit 60966d2
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 13 deletions.
diff --git a/dataverk_airflow/bucket_read.py b/dataverk_airflow/bucket_read.py
@@ -24,8 +24,4 @@ def bucket_read(
             requests={"memory": "128Mi"},
             limits={"memory": "128Mi"}
         ),
-        security_context=k8s.V1SecurityContext(
-            run_as_user=1000,
-            allow_privilege_escalation=False,
-        )
     )
diff --git a/dataverk_airflow/git_clone.py b/dataverk_airflow/git_clone.py
@@ -6,7 +6,8 @@
 def git_clone(
     repo: str,
     branch: str,
-    mount_path: str
+    mount_path: str,
+    run_as_user: str,
 ):
     return k8s.V1Container(
         name="clone-repo",
@@ -44,7 +45,7 @@ def git_clone(
             ),
         ],
         security_context=k8s.V1SecurityContext(
-            run_as_user=50000,
+            run_as_user=run_as_user,
             allow_privilege_escalation=False,
         )
     )
diff --git a/dataverk_airflow/kubernetes_operator.py b/dataverk_airflow/kubernetes_operator.py
@@ -85,7 +85,7 @@ def kubernetes_operator(
     :param delete_on_finish: bool: Whether to delete pod on completion
     :param retry_delay: timedelta: Time inbetween retries, default 5 seconds
     :param do_xcom_push: bool: Enable xcom push of content in file '/airflow/xcom/return.json', default False
-    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000.
+    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000 (standard uid for airflow).
     :param on_success_callback: a function or list of functions to be called when a task instance
         of this task fails. a context dictionary is passed as a single
         parameter to this function. Context contains references to related
@@ -169,7 +169,7 @@ def on_failure(context):
                         security_context=client.V1SecurityContext(
                             allow_privilege_escalation=False,
                             run_as_user=container_uid,
-                        )
+                        ) if not is_composer else None
                     )
                 ]
             )
@@ -223,14 +223,14 @@ def config_file(is_composer: bool) -> str:
         return "/home/airflow/composer_kube_config" if is_composer else None
 
 
-def init_containers(is_composer: bool, repo: str, branch: str) -> List[V1Container]:
+def init_containers(is_composer: bool, repo: str, branch: str, run_as_user: str) -> List[V1Container]:
     if is_composer:
         return [
             bucket_read(POD_WORKSPACE_DIR)
         ]
     else:
         return [
-            git_clone(repo, branch, POD_WORKSPACE_DIR)
+            git_clone(repo, branch, POD_WORKSPACE_DIR, run_as_user)
         ]
 
 

diff --git a/dataverk_airflow/notebook_operator.py b/dataverk_airflow/notebook_operator.py
@@ -53,7 +53,7 @@ def notebook_operator(
     :param delete_on_finish: bool: Whether to delete pod on completion
     :param retry_delay: timedelta: Time inbetween retries, default 5 seconds
     :param do_xcom_push: bool: Enable xcom push of content in file '/airflow/xcom/return.json', default False
-    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000.
+    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000 (standard uid for airflow).
     :param on_success_callback: Callable
 
     :return: KubernetesPodOperator

diff --git a/dataverk_airflow/python_operator.py b/dataverk_airflow/python_operator.py
@@ -51,7 +51,7 @@ def python_operator(
     :param delete_on_finish: bool: Whether to delete pod on completion
     :param retry_delay: timedelta: Time inbetween retries, default 5 seconds
     :param do_xcom_push: bool: Enable xcom push of content in file '/airflow/xcom/return.json', default False
-    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000.
+    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000 (standard uid for airflow).
     :param on_success_callback: Callable
 
     :return: KubernetesPodOperator

diff --git a/dataverk_airflow/quarto_operator.py b/dataverk_airflow/quarto_operator.py
@@ -53,7 +53,7 @@ def quarto_operator(
     :param delete_on_finish: bool: Whether to delete pod on completion
     :param retry_delay: timedelta: Time inbetween retries, default 5 seconds
     :param do_xcom_push: bool: Enable xcom push of content in file '/airflow/xcom/return.json', default False
-    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000.
+    :param container_uid: int: User ID for the container image. Root (id = 0) is not allowed, defaults to 50000 (standard uid for airflow).
     :param on_success_callback: Callable
 
     :return: KubernetesPodOperator