-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to run devpods as non-root or even in restricted pod security standard environments #12
Comments
This is a feature I am also trying to navigate around too.
|
I played around just setting |
@chgl One of the problems here is that the init container is based on the workspace container, so we can't know in advance whether root is needed or not. For some cases it would work for sure, maybe that's something we could solve for in a provider option or a devcontainer customization |
@chgl does the init container have to run as root? I was trying to use this: loft-sh/devpod#547, but no luck. |
@pascalbreuninger You're right, it will definitely need to be opt-in. I think the base requirement can be a base image with a non-root user with a writeable home directory - the location for any persistence/markers that devpod requires. @solomonakinyemi thanks for sharing! I wasn't aware of that. But it looks like the init-container is currently hard-coded to run as root, see: devpod-provider-kubernetes/pkg/kubernetes/init_container.go Lines 42 to 45 in 05c6b06
devpod-provider-kubernetes/pkg/kubernetes/run.go Lines 238 to 240 in 05c6b06
|
@pascalbreuninger Running as an unprivileged container user is a feature of Visual Studio Code dev containers. What does this imply for implementation within DevPod? |
@sanmai-NL wow, I totally missed this question - sorry.
|
|
@sanmai-NL Makes sense 👍 Setting the option to Let us know how it goes for you! |
To avoid complications when running in restricted pod security standard environment loft-sh/devpod-provider-kubernetes#12
Currently, at least the init container seems to require running as root (UID 0, see
devpod-provider-kubernetes/pkg/kubernetes/init_container.go
Line 45 in 05c6b06
It would be great if we could deploy devpod to clusters that require running as non-root. Even better, to clusters that use the restricted pod security standard: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted.
Is this something that is technically possible?
The text was updated successfully, but these errors were encountered: