Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-4856

KubernetesExecutor's git initContainer run always as user 65533

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.10.3
    • Fix Version/s: 1.10.4
    • Component/s: executors
    • Labels:
      None

      Description

      when try to use KubernetesExecutor with git sync functionality, 

      i got this error :

      [2019-06-26 14:09:37,428] {kubernetes_executor.py:745} ERROR - ApiException when attempting to run task, re-queueing.
      Traceback (most recent call last):
      File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 742, in sync
      self.kube_scheduler.run_next(task)
      File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 420, in run_next
      self.launcher.run_pod_async(pod)
      File "/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 57, in run_pod_async
      resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6115, in create_namespaced_pod
      (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6206, in create_namespaced_pod_with_http_info
      collection_formats=collection_formats)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 334, in call_api
      _return_http_data_only, collection_formats, _preload_content, _request_timeout)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 168, in __call_api
      _request_timeout=_request_timeout)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
      body=body)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 266, in POST
      body=body)
      File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 222, in request
      raise ApiException(http_resp=r)
      kubernetes.client.rest.ApiException: (403)
      Reason: Forbidden
      HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-store', 'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT', 'Content-Length': '500'})
      HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 65533: UID on container git-sync-clone does not match required range. Found 65533, required min: 1000000000 max: 1000009999]","reason":"Forbidden","details":{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}

      even the run_as_user options has been set in the cfg file as below

      [kubernetes]

      run_as_user = 1000000000

       

      https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128

      from here we can see the init container is always running as user 65533.

      maybe we can use self.kube_config.worker_run_as_user instead.

      Br,

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Mingjie Mingjie LI
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: