Skip to content

Instantly share code, notes, and snippets.

@noqcks

noqcks/airflow-rbac.yml

Created November 26, 2018 18:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save noqcks/04d4f4a2846ec1e0ed2fbda58907ca6d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save noqcks/04d4f4a2846ec1e0ed2fbda58907ca6d to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Benji Visser created this gist Nov 26, 2018.
    84 changes: 84 additions & 0 deletions airflow-rbac.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,84 @@
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: airflow-scheduler
    namespace: airflow
    ---
    # Allows Airflow to grab config maps (airflow.cfg)
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: airflow-scheduler-config
    namespace: airflow
    subjects:
    - kind: ServiceAccount
    name: airflow-scheduler
    namespace: airflow
    roleRef:
    kind: Role
    name: airflow-get-config
    apiGroup: rbac.authorization.k8s.io
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: airflow-get-config
    namespace: airflow
    rules:
    - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "watch", "list"]
    ---
    # Allows Airflow to read secrets from Kubernetes
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: airflow-scheduler-secret-reader
    namespace: airflow
    subjects:
    - kind: ServiceAccount
    name: airflow-scheduler
    namespace: airflow
    roleRef:
    kind: ClusterRole
    name: secret-reader
    apiGroup: rbac.authorization.k8s.io
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: secret-reader
    namespace: airflow
    rules:
    - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
    ---
    # Allows Airflow to delete pods when using the Kubernetes PodOperator
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: airflow-scheduler-binding
    namespace: airflow
    subjects:
    - kind: ServiceAccount
    name: airflow-scheduler
    namespace: airflow
    roleRef:
    kind: Role
    name: pod-create-delete
    apiGroup: rbac.authorization.k8s.io
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: pod-create-delete
    namespace: airflow
    rules:
    - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
    - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]