add security context overrides support for kubernetes executor

tests/chart/test_pod_template.py

@@ -153,3 +153,32 @@ def test_pod_template_resource_overrides(self, kube_version):
         podTemplate = yaml.safe_load(doc["data"]["pod_template_file.yaml"])
         assert "resources" in podTemplate["spec"]["containers"][0]
         assert resources == podTemplate["spec"]["containers"][0]["resources"]
+
+    def test_pod_template_worker_securitycontext_defaults(self, kube_version):
+        """Test airflow pod template security context defaults."""
+        podSecurityContextDefaults = {"runAsUser": 50000, "fsGroup": 50000}
+        containerSecurityContextDefaults = {"allowPrivilegeEscalation": False, "capabilities": {"drop": ["ALL"]}}
+        docs = render_chart(
+            kube_version=kube_version,
+            values={},
+            show_only="charts/airflow/templates/configmaps/configmap.yaml",
+        )
+        common_pod_template_test(docs)
+        doc = docs[0]
+        podTemplate = yaml.safe_load(doc["data"]["pod_template_file.yaml"])
+        assert podSecurityContextDefaults == podTemplate["spec"]["securityContext"]
+        assert containerSecurityContextDefaults == podTemplate["spec"]["containers"][0]["securityContext"]
+
+    def test_pod_template_worker_securitycontext_overrides(self, kube_version):
+        """Test airflow pod template security context defaults."""
+        securityContexts = {"pod": {"runAsNonRoot": False}, "container": {"allowPrivilegeEscalation": False}}
+        docs = render_chart(
+            kube_version=kube_version,
+            values={"airflow": {"workers": {"securityContexts": securityContexts}}},
+            show_only="charts/airflow/templates/configmaps/configmap.yaml",
+        )
+        common_pod_template_test(docs)
+        doc = docs[0]
+        podTemplate = yaml.safe_load(doc["data"]["pod_template_file.yaml"])
+        assert {"runAsNonRoot": False} == podTemplate["spec"]["securityContext"]
+        assert {"allowPrivilegeEscalation": False} == podTemplate["spec"]["containers"][0]["securityContext"]

values.yaml

@@ -201,6 +201,8 @@ airflow:
     {{- $nodeSelector := or .Values.nodeSelector .Values.workers.nodeSelector }}
     {{- $affinity := or .Values.affinity .Values.workers.affinity }}
     {{- $tolerations := or .Values.tolerations .Values.workers.tolerations }}
+    {{- $securityContext := include "airflowPodSecurityContext" (list . .Values.workers) }}
+    {{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.workers) }}
     apiVersion: v1
     kind: Pod
     metadata:
@@ -244,6 +246,7 @@ airflow:
     {{- include "container_extra_envs" (list . .Values.workers.env) | indent 6 }}
           image: {{ template "pod_template_image" . }}
           imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+          securityContext: {{ $containerSecurityContext | nindent 8 }}
           name: base
           ports: []
           resources: {{- toYaml .Values.workers.resources | nindent 8 }}
@@ -284,10 +287,8 @@ airflow:
         - name: {{ template "registry_secret" . }}
       {{- end }}
       restartPolicy: Never
-      securityContext:
-        runAsUser: {{ .Values.uid }}
-        fsGroup: {{ .Values.gid }}
       nodeSelector: {{ toYaml $nodeSelector | nindent 4 }}
+      securityContext: {{ $securityContext | nindent 4 }}
       affinity: {{ toYaml $affinity | nindent 4 }}
       tolerations: {{ toYaml $tolerations | nindent 4 }}
       serviceAccountName: {{ include "worker.serviceAccountName" . }}