Install Remote Execution Agents in a restricted kubernetes namespace
Airflow 3
This feature is only available for Airflow 3.x Deployments.You can install the Remote Execution Agent in a Kubernetes namespace with restricted pod security standards. Your organization might have different security standards for infrastructure supporting internal-only sandboxes compared to production environments.
Kubernetes Pod Security Standards define different security levels for Pods:
- Privileged: No restrictions (least secure)
- Baseline: Prevents known privilege escalations
- Restricted: Highly-constrained settings following security best practices (most secure)
The Restricted profile enforces the following limitations:
- Runs containers as non-root users
- Prevents privilege escalation
- Drops all Linux capabilities
- Uses read-only root filesystems when possible
- Requires a runtime default seccomp profile
However, because of these limitations, you need to complete the following additional Remote Execution Agent configuration set up.
Step 1: Create a restricted namespace
Create a Namespace in your Kubernetes manifest with the following restricted
Pod security standards:
Step 2: Configure Global Security Settings
Modify your Agent’s values.yaml
file to set global security context settings that apply to all Agent components’ Pods and containers:
Step 3: Configure component-specific settings
When using the Agent in a restricted namespace, you must configure volume mounts because:
- The container security context sets
readOnlyRootFilesystem: true
- These directories need write access during runtime
- Using
emptyDir
volumes provides isolated, writable storage that meets security requirements