Low code platform for building business apps and workflows in minutes. Supports PostgreSQL, MySQL, MariaDB, MSSQL, MongoDB, Rest API, Docker, K8s, and more 🚀
Describe the feature request
When running the budibase/proxy service container in a multi-tenant cluster environment where the restricted Pod security standard is applied, the Pod ends up in the CrashLoopBackOff status. Looking at the logs, it appears the image requires superuser privileges, but in a restricted environment, spec.securityContext.runAsNonRoot forces containers to be run as non-root users.
Screenshots
Container logs:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: ERROR: /etc/nginx/templates exists, but /etc/nginx is not writable
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/80-listen-on-ipv6-by-default.sh
80-listen-on-ipv6-by-default.sh: info: ipv6 is available so no need to delete lines from nginx conf
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/08/22 08:35:56 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2024/08/22 08:35:56 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
Describe the feature request When running the
budibase/proxy
service container in a multi-tenant cluster environment where the restricted Pod security standard is applied, the Pod ends up in theCrashLoopBackOff
status. Looking at the logs, it appears the image requires superuser privileges, but in a restricted environment,spec.securityContext.runAsNonRoot
forces containers to be run as non-root users.Screenshots Container logs: