How to implement security context for the pods to run as non root user and a read only fs?

[farhan-ejaz]

As best practice the application must be run as a non root user with a read only root file system.

We could not find a way to configure such security context and moreover we can see the graphdb instance runs as a root user inside a container.

[Sukhumi]

With the latest 10.2.1 release options to overwrite the security contexts have been added. In the https://github.com/Ontotext-AD/graphdb-helm/blob/10.2.1/examples/openshift-local/values.yaml you can find an example on how to set the security context so it's not ran as root.

I am cautiously optimistic that the next major release (10.3), the default configuration will be non-root and that the official GraphDB docker images will have a dedicated user to manage the GraphDB process.

[farhan-ejaz]

Tried using the new features however could not make it work. Added Volume to be used as non root fs but the init container fails since it tries to copy to a location hardcoded in the graphdb-node-configmap.yaml

Is there a complete sample to follow the correct values to use?

[jbelien]

I seem to struggle with the same issue. I've added the securityContext based on https://github.com/Ontotext-AD/graphdb-helm/blob/10.4.0/examples/openshift-local/values.yaml but Kubernetes returned the following (expected) error message:

container has runAsNonRoot and image will run as root

I've tried a few things to try to run the image under a non-root user (like runAsUser in securityContext) but couldn't make it work.

Any insight is welcome! 😃

I'm also following https://github.com/Ontotext-AD/graphdb-docker/issues/5

[argb10]

Hi! Seems like they are not supporting this. I managed to run the container, but you need to modify the docker imager. Create the user in the image and use this: RUN adduser -D -u 500 -G gdbgroup gdbuser USER 500 Inside docker file to run the process as user 500.

Hope it helps.