Running POD/container as a different user
Closed this issue · 2 comments
Hello,
We would like to run the POD/Container as a different user using runAsUser under security context in pod.
Is there a way to achieve this in shinyproxy operator?
Hi
This is possible using the Kubernetes patches feature. If you want to run the ShinyProxy server pod using a different securityContext use:
apiVersion: openanalytics.eu/v1alpha1
kind: ShinyProxy
metadata:
name: example-shinyproxy
namespace: shinyproxy
spec:
proxy:
# ,,
kubernetesPodTemplateSpecPatches: |
- op: add
path: /spec/securityContext
value:
runAsUser: 1000
runAsGroup: 3042
fsGroup: 2042
image: openanalytics/shinyproxy:2.5.0
imagePullPolicy: Always
fqdn: shinyproxy-demo.local
If you want to run an app using a different securityContext use:
apiVersion: openanalytics.eu/v1alpha1
kind: ShinyProxy
metadata:
name: example-shinyproxy
namespace: shinyproxy
spec:
proxy:
specs:
- id: 01_hello
displayName: Hello Application
description: Application which demonstrates the basics of a Shiny app
containerCmd: ["R", "-e", "shinyproxy::run_01_hello()"]
containerImage: openanalytics/shinyproxy-demo
kubernetes-pod-patches: |
- op: add
path: /spec/securityContext
value:
runAsUser: 1042
runAsGroup: 3042
fsGroup: 2042
# ...
Note: with the official ShinyProxy Docker image (i.e. openanalytics/shinyproxy) you won't be able to use a different runAsUser value than 1000. The Docker image is setup to use a non-root user and therefore it requires specific directory permissions inside the image. Because it's already using a non-root user, I don't believe it's required to use a different runAsUser anyway.
In addition, I would always advise to use our image, instead of building your own (of course you can extend it if needed). In the latest release (2.5.0) we made some optimizations to the image, regarding image size, startup time and security.
I believe this question is answered and therefore I'll close this issue.