Skip to content

Latest commit

 

History

History
26 lines (19 loc) · 1.25 KB

workflow-pod-security-context.md

File metadata and controls

26 lines (19 loc) · 1.25 KB

Workflow Pod Security Context

By default, all workflow pods run as root. The Docker executor even requires privileged: true.

For other workflow executors, you can run your workflow pods more securely by configuring the security context for your workflow pod.

This is likely to be necessary if you have a pod security policy. You probably can't use the Docker executor if you have a pod security policy.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: security-context-
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 8737 #; any non-root user

You can configure this globally using workflow defaults.

!!! Warning "It is easy to make a workflow need root unintentionally" You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. mkdir /my-dir would require root.

!!! Note "You must use volumes for output artifacts" If you use runAsNonRoot - you cannot have output artifacts on base layer (e.g. /tmp). You must use a volume (e.g. empty dir).