Cannot run temporal services as non-root user in kubernetes

siva · February 4, 2021, 3:33pm

We have restrictions in our enterprise k8s environment to block running containers as root user. Kubernetes also recommends running containers as non-root user - 11 Ways (Not) to Get Hacked | Kubernetes

Starting temporal containers (using the helm chart from temporal helm chart repo) as non-root user throws the below permission error:

dockerize -template /etc/temporal/config/config_template.yaml:/etc/temporal/config/docker.yaml
2021/02/04 14:28:48 unable to create open /etc/temporal/config/docker.yaml: permission denied

Currently, I did a workaround by creating a custom image with permission for non-root user to /etc/temporal/ dir.

Can we update the dockerfile and helm chart to run temporal services as non-root user by default?

Wenquan_Xing · February 4, 2021, 9:28pm

Hi Siva,

Can you create an github issue for this?

siva · February 5, 2021, 12:38am

Done - Cannot run temporal services as non-root user in kubernetes · Issue #1263 · temporalio/temporal · GitHub. Thanks!

amlanroy1980 · March 23, 2021, 3:38pm

Hi @Wenquan_Xing,
Is there any timeline when this issue will be fixed? We are also facing the same problem.

derek · March 23, 2021, 8:32pm

this is on our radar and we do plan on eventually making this happen. at the same time, the work has not been scheduled yet.

but there’s no reason temporal inherently needs to run with root and we’re totally open to accepting PRs to make this possible in the meantime.

thank you for your feedback as interest in specific issues helps us to prioritize our efforts!

sagardeo21 · July 14, 2021, 3:31pm

Hi @derek Is there any ETA on getting this rolled out?

derek · July 14, 2021, 5:05pm

definitely still open to PRs, no ETA.