Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Implementation:Apache Airflow RBAC Security Config

From Leeroopedia


Knowledge Sources
Domains Security, Kubernetes
Last Updated 2026-02-08 00:00 GMT

Overview

Concrete tool for configuring security, RBAC, and secrets for production Airflow deployments provided by Helm chart templates and KubernetesExecutor.

Description

The Helm chart includes 12 RBAC template files defining roles for pod launching, log reading, and job management. Secrets templates manage Fernet keys, API secret keys, and database credentials. The KubernetesExecutor provides pod-level task isolation by running each task in a separate Kubernetes pod.

Usage

Enable RBAC, secrets, and network policies in Helm values. For workload isolation, use KubernetesExecutor.

Code Reference

Source Location

  • Repository: Apache Airflow
  • File: chart/templates/rbac/ (12 RBAC template files)
  • File: chart/templates/secrets/ (secret templates)
  • File: providers/cncf/kubernetes/src/airflow/providers/cncf/kubernetes/executors/kubernetes_executor.py
  • Lines: L77-756

Signature

# RBAC configuration
rbac:
  create: true
  createSCCRoleBinding: false   # OpenShift SCC compatibility

# Security settings
allowPodLaunching: true
multiNamespaceMode: false
networkPolicies:
  enabled: false

# Secrets
secret:
  fernetKey: ~           # Base64-encoded Fernet key
  webserverSecretKey: ~  # Flask secret key

KubernetesExecutor: 

class KubernetesExecutor(BaseExecutor):
    """Executor that creates a new Pod for each task."""
    # Creates Kubernetes pods dynamically
    # Each task runs in isolated pod with own resources
    # Pods are cleaned up after task completion

Import

# Deploy with KubernetesExecutor and security hardening
helm install airflow apache-airflow/airflow \
  --set executor=KubernetesExecutor \
  --set rbac.create=true \
  --set networkPolicies.enabled=true

I/O Contract

Inputs

Name Type Required Description
rbac.create bool No Create RBAC roles and bindings
networkPolicies.enabled bool No Create network policy resources
secret.fernetKey str No Fernet encryption key (auto-generated if not set)
executor str No Executor type (KubernetesExecutor for isolation)

Outputs

Name Type Description
RBAC roles K8s Roles/ClusterRoles Scoped permissions for Airflow components
Secrets K8s Secrets Encrypted credentials mounted as env vars
NetworkPolicies K8s NetworkPolicy Pod communication restrictions
Task pods K8s Pods Isolated per-task pods (KubernetesExecutor)

Usage Examples

Production Security Configuration

# my-values.yaml
executor: KubernetesExecutor

rbac:
  create: true

networkPolicies:
  enabled: true

secret:
  fernetKey: "your-base64-encoded-fernet-key"
  webserverSecretKey: "your-secret-key"

Related Pages

Implements Principle

Requires Environment

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Apache_Airflow_RBAC_Security_Config&oldid=11044"