docs: Pod Security Context: Volumes aren't required in >= v3.3 and runAsNonRoot #14072
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paulcwatts
force-pushed
the
pod-security-doc-fix
branch
from
f9582e3 to
08d7df9
Compare
I'm hoping this will save other developers a couple of hours of going down an unnecessary path. Signed-off-by: Paul Watts <[email protected]>
paulcwatts
force-pushed
the
pod-security-doc-fix
branch
from
08d7df9 to
e8e5d1b
Compare
MasonM
reviewed
Jan 11, 2025
Code review feedback Co-authored-by: Mason Malone <[email protected]> Signed-off-by: Paul Watts <[email protected]>
MasonM
approved these changes
Jan 11, 2025
tczhao
requested changes
Jan 12, 2025
Comment on lines
+27
to
+30
| !!! Note "You must use volumes for output artifacts (v3.3 or earlier)" | ||
| If you use `runAsNonRoot` in versions v3.3 or earlier, you cannot have output artifacts on base layer (e.g. `/tmp`). You must use a volume (e.g. [empty dir](empty-dir.md)). | ||
| In versions later than v3.3, the [Emissary executor](workflow-executors.md#emissary-emissary) | ||
| allows artifacts on the base layer with `runAsNonRoot`. |
There was a problem hiding this comment.
Suggested change
| !!! Note "You must use volumes for output artifacts (v3.3 or earlier)" | |
| If you use `runAsNonRoot` in versions v3.3 or earlier, you cannot have output artifacts on base layer (e.g. `/tmp`). You must use a volume (e.g. [empty dir](empty-dir.md)). | |
| In versions later than v3.3, the [Emissary executor](workflow-executors.md#emissary-emissary) | |
| allows artifacts on the base layer with `runAsNonRoot`. | |
| !!! Note "You must use volumes for output artifacts (v3.3 or earlier with non-emissary executor)" | |
| If you use `runAsNonRoot` in versions v3.3 or earlier with non-emissary executor, you cannot have output artifacts on base layer (e.g. `/tmp`). You must use a volume (e.g. [empty dir](empty-dir.md)). | |
| The [Emissary executor](workflow-executors.md#emissary-emissary) (available from v3.0, default since v3.3) | |
| allows artifacts on the base layer with `runAsNonRoot`. |
Let's be more precise with the wording.
Otherwise, we could remove this line since <= v3.4 is no longer maintained
There was a problem hiding this comment.
For all supported versions you don't need volumes it seems, so the whole note could just be removed?
There was a problem hiding this comment.
When I originally submitted the PR, I didn't know the docs were versioned or that 3.3 was no longer supported.
With that knowledge, if it were my project, I would also lean toward removing the note completely.
The purpose for submitting the PR in the first place was hopefully to save people time from going down an wrong path.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
A note regarding volumes being required for
runAsNonRoottook me down an incorrect path before I saw that was unnecessary in newer versions. I'm hoping this will save other developers a couple of hours of going down the same path.Modifications
Updated the note to qualify that it is only applicable for versions v3.3 or earlier, before the Emissary executor.