Can't run in strict Kubernetes cluster environment [runAsNonRoot: true]

[enriquecaballero]

The cluster we deploy to requires us to run all of our deployments as non-root. This means we must set up the securityContext to runAsUser: 1000 however this is not possible as root is required to run everything inside the container.

It looks like it is possible to run RStudio Server as non-root by looking at this: https://github.com/rstudio/rstudio/issues/9496

Are there any examples to running the Rocker RStudio images in an air gapped strict Kubernetes environment?

[cboettig]

Thanks. The default CMD of the RStudio-based images is to run the s6 init system (as root), which then runs RStudio (but allows users to add other services as well). Can you try running the container as the user rstudio and overriding the default CMD to just run rserver directly?

I don't run on Kubernetes much so don't have a quick mechanism to set up a playground to reproduce this. (I'm also not clear on the technical definition of "strict Kubernetes"). I do think folks have had success running RStudio server as non-root already in other contexts (podman and singularity iirc), but not super familiar with those either so maybe others can chime in.

[enriquecaballero]

Ah, I'll give that a try now.

[eitsupi]

Did you solve the problem? I will close this for now, but feel free to open it again.

[enriquecaballero]

I did not solve the problem using the Rocker Docker image; unfortunately, I never got it to work.

I ended up building my own custom Docker image based off of Kubeflow’s Dockerfile: https://github.com/kubeflow/kubeflow/tree/master/components/example-notebook-servers/rstudio

[eitsupi]

Thank you for sharing that with us. Unfortunately, I can't help you because I don't run RStudio Server as non-root or use k8s either.

[enriquecaballero]

That’s fine.

The RStudio Server requires root if it’s authenticating multiple users because it relies on the underlying Linux system for users. The only workaround was building a single-user no-auth RStudio image where the server process is started by this non-root user. We had to change our design in that we’re now issuing a container for every single developer that requires access to RStudio and controlling auth via nginx’s forwardauth at the Ingress level.

I suspect many people will run into this issue when deploying to a cluster they don’t manage with strict security policies. The documentation might need to be updated to reflect this.

[eitsupi]

Yes, it would be great if there is documentation on such uses. The source code for the Rocker Project website resides in the following repository, so if you would be willing to contribute documentation to this, it would be greatly appreciated. https://github.com/rocker-org/website

[hute37]

With "rootless" Podman, it was possible to to run everything as root.

This was required to share data between container and host, because, in rootless mode, host uid:gid are mapped to root 0:0. Running with a rstudio user was messy because internal rstudio user uid:gid (1000:1000) are mapped to a different host user, depending on subuid/subgid.

We still had some issues with (alternative) groups access (--group-add keep-groups was lost after rstudio server login)

Anyway, I don't' know Kubernetes "strict mode", different thing from Podman "rootless" mode ...

Original reference: "How to share files between rstudio/rocker and external folders with podman" #346

[sandstromviktor]

@enriquecaballero - Did you solve this? I'm also trying to run rstudio-server as non root on a cluster. Can you share your image?

[yuvipanda]

I know that the rocker/binder images work fine as non-root, so that is an option to run RStudio if needed. You can hit /rstudio after launching the container I think.