Make airflow-worker containers non-privileged
The 'airflow-worker' and 'airflow-logrotate' containers do not need to run as privileged containers to perform their jobs. Shipyard deploy_site action was used to test the 'airflow-worker' as a deploy_site invokes 'airflow-worker'. When performing deploy_site action, all steps succeeded and the 'airflow-worker' shows no errors when 'airflow-worker' is non-privileged. When 'airflow-logrotate' runs as non-privileged, the 'airflow-logrotate' container still logs correctly and is able to delete/rotate logs without problems. Note: Making airflow-worker run with non-privileged containers means that these containers will use the docker-default apparmor profile by default. Change-Id: I26eda3eb8b7a36e67c2e7b593326f1d063600fc3
This commit is contained in:
parent
7b040ec266
commit
9eb430566b
|
@ -127,8 +127,6 @@ spec:
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: {{ .Values.network.airflow.worker.port }}
|
port: {{ .Values.network.airflow.worker.port }}
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: airflow-etc
|
- name: airflow-etc
|
||||||
mountPath: {{ .Values.conf.airflow_config_file.path }}
|
mountPath: {{ .Values.conf.airflow_config_file.path }}
|
||||||
|
@ -179,8 +177,6 @@ spec:
|
||||||
ps -ef | grep 'sleep 3600' | grep -v 'grep'
|
ps -ef | grep 'sleep 3600' | grep -v 'grep'
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 15
|
periodSeconds: 15
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: airflow-logs
|
- name: airflow-logs
|
||||||
mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
|
mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
|
||||||
|
|
Loading…
Reference in New Issue