noqcks/airflow-rbac.yml

## airflow-rbac.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: airflow-scheduler
  namespace: airflow
---
# Allows Airflow to grab config maps (airflow.cfg)
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-scheduler-config
  namespace: airflow
subjects:
- kind: ServiceAccount
  name: airflow-scheduler
  namespace: airflow
roleRef:
  kind: Role
  name: airflow-get-config
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-get-config
  namespace: airflow
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]
---
# Allows Airflow to read secrets from Kubernetes
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-scheduler-secret-reader
  namespace: airflow
subjects:
- kind: ServiceAccount
  name: airflow-scheduler
  namespace: airflow
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: secret-reader
  namespace: airflow
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
---
# Allows Airflow to delete pods when using the Kubernetes PodOperator
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: airflow-scheduler-binding
  namespace: airflow
subjects:
- kind: ServiceAccount
  name: airflow-scheduler
  namespace: airflow
roleRef:
  kind: Role
  name: pod-create-delete
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-create-delete
  namespace: airflow
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: airflow-scheduler
	namespace: airflow
	---
	# Allows Airflow to grab config maps (airflow.cfg)
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: airflow-scheduler-config
	namespace: airflow
	subjects:
	- kind: ServiceAccount
	name: airflow-scheduler
	namespace: airflow
	roleRef:
	kind: Role
	name: airflow-get-config
	apiGroup: rbac.authorization.k8s.io
	---
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: airflow-get-config
	namespace: airflow
	rules:
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["get", "watch", "list"]
	---
	# Allows Airflow to read secrets from Kubernetes
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: airflow-scheduler-secret-reader
	namespace: airflow
	subjects:
	- kind: ServiceAccount
	name: airflow-scheduler
	namespace: airflow
	roleRef:
	kind: ClusterRole
	name: secret-reader
	apiGroup: rbac.authorization.k8s.io
	---
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: secret-reader
	namespace: airflow
	rules:
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["get", "watch", "list"]
	---
	# Allows Airflow to delete pods when using the Kubernetes PodOperator
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: airflow-scheduler-binding
	namespace: airflow
	subjects:
	- kind: ServiceAccount
	name: airflow-scheduler
	namespace: airflow
	roleRef:
	kind: Role
	name: pod-create-delete
	apiGroup: rbac.authorization.k8s.io
	---
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: pod-create-delete
	namespace: airflow
	rules:
	- apiGroups: [""]
	resources: ["pods"]
	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
	- apiGroups: [""]
	resources: ["pods/log"]
	verbs: ["get"]