Make airflow-worker containers non-privileged

The 'airflow-worker' and 'airflow-logrotate' containers do not need to run as privileged containers to perform their jobs. Shipyard deploy_site action was used to test the 'airflow-worker' as a deploy_site invokes 'airflow-worker'. When performing deploy_site action, all steps succeeded and the 'airflow-worker' shows no errors when 'airflow-worker' is non-privileged. When 'airflow-logrotate' runs as non-privileged, the 'airflow-logrotate' container still logs correctly and is able to delete/rotate logs without problems. Note: Making airflow-worker run with non-privileged containers means that these containers will use the docker-default apparmor profile by default. Change-Id: I26eda3eb8b7a36e67c2e7b593326f1d063600fc3
2018-09-27 14:46:54 -04:00 · 2018-09-27 14:46:54 -04:00 · 9eb430566b
commit 9eb430566b
parent 7b040ec266
1 changed files with 0 additions and 4 deletions
--- a/charts/shipyard/templates/statefulset-airflow-worker.yaml
+++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml
@ -127,8 +127,6 @@ spec:
          readinessProbe:
            tcpSocket:
              port: {{ .Values.network.airflow.worker.port }}
-          securityContext:
-            privileged: true
          volumeMounts:
            - name: airflow-etc
              mountPath: {{ .Values.conf.airflow_config_file.path }}
@ -179,8 +177,6 @@ spec:
                ps -ef | grep 'sleep 3600' | grep -v 'grep'
            initialDelaySeconds: 15
            periodSeconds: 15
-          securityContext:
-            privileged: true
          volumeMounts:
            - name: airflow-logs
              mountPath: {{ .Values.conf.airflow.core.base_log_folder }}