Cannot run temporal services as non-root user in kubernetes

siva · February 4, 2021, 2:33pm

We have restrictions in our enterprise k8s environment to block running containers as root user. Kubernetes also recommends running containers as non-root user - 11 Ways (Not) to Get Hacked | Kubernetes

Starting temporal containers (using the helm chart from temporal helm chart repo) as non-root user throws the below permission error:

dockerize -template /etc/temporal/config/config_template.yaml:/etc/temporal/config/docker.yaml
2021/02/04 14:28:48 unable to create open /etc/temporal/config/docker.yaml: permission denied

Currently, I did a workaround by creating a custom image with permission for non-root user to /etc/temporal/ dir.

Can we update the dockerfile and helm chart to run temporal services as non-root user by default?

Wenquan_Xing · February 4, 2021, 9:28pm

Hi Siva,

Can you create an github issue for this?

siva · February 5, 2021, 12:38am

Done - Cannot run temporal services as non-root user in kubernetes · Issue #1263 · temporalio/temporal · GitHub. Thanks!

amlanroy1980 · March 23, 2021, 3:38pm

Hi @Wenquan_Xing,
Is there any timeline when this issue will be fixed? We are also facing the same problem.

derek · March 23, 2021, 8:32pm

this is on our radar and we do plan on eventually making this happen. at the same time, the work has not been scheduled yet.

but there’s no reason temporal inherently needs to run with root and we’re totally open to accepting PRs to make this possible in the meantime.

thank you for your feedback as interest in specific issues helps us to prioritize our efforts!

sagardeo21 · July 14, 2021, 3:31pm

Hi @derek Is there any ETA on getting this rolled out?

derek · July 14, 2021, 5:05pm

definitely still open to PRs, no ETA.

fivos · July 30, 2022, 11:58pm

Hi,
I have the same requirement to run temporal services as a non-root user and I see that the associated github issue was addressed with this PR.

I’m testing out a helm deployment using MySQL as the only dependency and I still end up with containers running as root. Looking at the helm template, I see that securityContext is preceded by
this if statement, which means that the securityContext is only added if either cassandra or elasticsearch are enabled. Could this be updated so that containers don’t run as root when using MySQL only?

tihomir · July 31, 2022, 8:51pm

Could this be updated so that containers don’t run as root when using MySQL only?

Yes it can be imo. Could you open issue in helm charts repo and will add.

fivos · August 1, 2022, 3:23am

Thanks, I created [Bug] Cannot run temporal services as non-root user in kubernetes · Issue #307 · temporalio/helm-charts · GitHub

fivos · August 2, 2022, 6:20pm

I took a stab at addressing the issue with Run as nonRoot with Cassandra and Elasticsearch disabled by fivos · Pull Request #308 · temporalio/helm-charts · GitHub

Topic		Replies	Views
Run temporalio/server Docker image as unprivileged? Community Support docker , server	4	946	September 7, 2021
Temporal Web and Admintools PODs are running with root user Server Deployment web-ui	2	675	August 18, 2022
Kubernetes deployment Community Support helm	1	1395	February 16, 2022
Unable to get a working custom temporal server Community Support java-sdk , mysql , configuration	8	3359	October 30, 2023
Issues with temporal pods after upgrading the EKS cluster Server Deployment	0	59	June 20, 2024

Cannot run temporal services as non-root user in kubernetes

Related topics