pmint93
commented
1 year ago @adrianbumbas Can you share the reference at which "it" defines metabase user with UID of 2000 ?
Closed adrianbumbas closed 11 months ago
pmint93
commented
1 year ago @adrianbumbas Can you share the reference at which "it" defines metabase user with UID of 2000 ?
adrianbumbas
commented
1 year ago Run this command on the metabase pod
/# cat /etc/passwd | grep metabase
metabase:x:2000:2000:Linux User,,,:/home/metabase:/bin/ash
pmint93
commented
1 year ago I have no idea how UID of 2000 got there and there is no official document for running metabase as non-root user. It seem no one ever tried to do so.
If you have experiences in that, please share your suggestion.
adrianbumbas
commented
1 year ago There is absolutely no reason for metabase to run as root. Please specify securityContext at the deployment level and I will do some tests.
pmint93
commented
1 year ago @adrianbumbas You should fork/clone the chart, add securityContext and test on it first. When we confirm it work then I can merge your fork via a PR
jhunterc15
commented
12 months ago I created a PR that adds hooks so that you can specify your own security context. If you would prefer a different solution let me know. This should not be a breaking change and would allow users who have specific security restraints to use the chart. #89.
adrianbumbas
commented
11 months ago Thanks for the update, I just tested successfully with the following settings:
securityContext:
runAsUser: 2000
runAsGroup: 2000
runAsNonRoot: true
capabilities:
drop:
- ALLYou should add this in the default config for the Helm chart.
By default the metabase pod runs as root in Kubernetes even though it defines the metabase user (UID 2000)