Cannot run temporal services as non-root user in kubernetes

siva · February 4, 2021, 2:33pm

We have restrictions in our enterprise k8s environment to block running containers as root user. Kubernetes also recommends running containers as non-root user - 11 Ways (Not) to Get Hacked | Kubernetes

Starting temporal containers (using the helm chart from temporal helm chart repo) as non-root user throws the below permission error:

dockerize -template /etc/temporal/config/config_template.yaml:/etc/temporal/config/docker.yaml
2021/02/04 14:28:48 unable to create open /etc/temporal/config/docker.yaml: permission denied

Currently, I did a workaround by creating a custom image with permission for non-root user to /etc/temporal/ dir.

Can we update the dockerfile and helm chart to run temporal services as non-root user by default?

Wenquan_Xing · February 4, 2021, 9:28pm

Hi Siva,

Can you create an github issue for this?

siva · February 5, 2021, 12:38am

Done - Cannot run temporal services as non-root user in kubernetes · Issue #1263 · temporalio/temporal · GitHub. Thanks!

amlanroy1980 · March 23, 2021, 3:38pm

Hi @Wenquan_Xing,
Is there any timeline when this issue will be fixed? We are also facing the same problem.

derek · March 23, 2021, 8:32pm

this is on our radar and we do plan on eventually making this happen. at the same time, the work has not been scheduled yet.

but there’s no reason temporal inherently needs to run with root and we’re totally open to accepting PRs to make this possible in the meantime.

thank you for your feedback as interest in specific issues helps us to prioritize our efforts!

sagardeo21 · July 14, 2021, 3:31pm

Hi @derek Is there any ETA on getting this rolled out?

derek · July 14, 2021, 5:05pm

definitely still open to PRs, no ETA.

fivos · July 30, 2022, 11:58pm

Hi,
I have the same requirement to run temporal services as a non-root user and I see that the associated github issue was addressed with this PR.

I’m testing out a helm deployment using MySQL as the only dependency and I still end up with containers running as root. Looking at the helm template, I see that securityContext is preceded by
this if statement, which means that the securityContext is only added if either cassandra or elasticsearch are enabled. Could this be updated so that containers don’t run as root when using MySQL only?

tihomir · July 31, 2022, 8:51pm

Could this be updated so that containers don’t run as root when using MySQL only?

Yes it can be imo. Could you open issue in helm charts repo and will add.

fivos · August 1, 2022, 3:23am

Thanks, I created [Bug] Cannot run temporal services as non-root user in kubernetes · Issue #307 · temporalio/helm-charts · GitHub

fivos · August 2, 2022, 6:20pm

I took a stab at addressing the issue with Run as nonRoot with Cassandra and Elasticsearch disabled by fivos · Pull Request #308 · temporalio/helm-charts · GitHub

Topic		Replies	Views
Run temporalio/server Docker image as unprivileged? Community Support docker , server	4	759	September 7, 2021
Temporal Web and Admintools PODs are running with root user Server Deployment web-ui	2	603	August 18, 2022
K8s readOnlyRootFilesystem Community Support	2	106	March 20, 2024
Frontend fails to poll for decision task Community Support	2	593	July 20, 2020
Crash loop of history service in K8s cluster Community Support history , kubernetes	19	3254	April 30, 2021

Cannot run temporal services as non-root user in kubernetes

Related Topics