Airflow's RBAC template issue

[ashsrinivas-deloitte]

Hi ,

I have a situation, I can explain it to you. This is regarding the Airflow's RBAC template. It has very limited placeholder and no placeholder for custom rules( such as secret resource or others) .One of the Airflow service accounts in our namespace is unable to view the secrets in the present in the namespace , due to this Airflow is not functioning properly. I am suspecting that the secret resource is missing for us to view the secrets in the Role. If I attempt to disable role and role binding, it affects airflow scheduler pod to crash frequently. I am unable to tweak it manually in the cluster side as ArgoCD over-rides the changes every now and then.
Any suggestion or help would be appreciated.

https://artifacthub.io/packages/helm/airflow-helm/airflow/8.6.1?modal=template&template=rbac/airflow-role.yaml

Issue observed in a GKE cluster.
Airflow chart version 8.6.1

Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Audit-Id': 'dd9aa31b-9b40-4a76-afa9-e370077ba4b7', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '47c1d37c-5921-4e94-81d6-bec433015f66', 'X-Kubernetes-Pf-Prioritylevel-Uid': '10a42ebb-f92f-4d4c-84d3-67f819debc24', 'Date': 'Fri, 21 Jul 2023 17:35:35 GMT', 'Content-Length': '306'})

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User "system:serviceaccount:workflow-management:airflow" cannot list resource "pods" in API group "" in the namespace "workflow-management"","reason":"Forbidden","details":{"kind":"pods"},"code":403}

https://github.com/airflow-helm/charts/blob/main/charts/airflow/templates/rbac/airflow-role.yaml#L12

[ashsrinivas-deloitte]

I've resolved it by adding RBAC for secrets via boot strap scripts in my configuration. Please ignore my post.