Update KubeExecutor pod templates to allow access to IAM permissions (a…

…pache#15669) If AWS's Identity-based IAM policies are in use on the cluster they token file will be mounted in to the pod (via the service account) and, prior to this change, will be owned by root. Specifying `fsGroup` makes the file group-readable by the `airflow` user. We already specify this in our helm chart, so this change is just for anyone looking at the docs.
tnk-ysk · May 6, 2021 · 1024c92 · 1024c92
1 parent 151ba30
commit 1024c92
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml b/airflow/kubernetes/pod_template_file_examples/dags_in_image_template.yaml
@@ -65,6 +65,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:

diff --git a/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml b/airflow/kubernetes/pod_template_file_examples/dags_in_volume_template.yaml
@@ -62,6 +62,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity:

diff --git a/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml b/airflow/kubernetes/pod_template_file_examples/git_sync_template.yaml
@@ -86,6 +86,7 @@ spec:
   restartPolicy: Never
   securityContext:
     runAsUser: 50000
+    fsGroup: 50000
   nodeSelector:
     {}
   affinity: