Helm chart doesn't allow pod securityContext

Question

Helm chart doesn't allow pod securityContext

adrianbumbas opened this issue a year ago · 7 comments

adrianbumbas commented a year ago

By default the metabase pod runs as root in Kubernetes even though it defines the metabase user (UID 2000)

Answer 1 · 2023-09-06T04:28:10.000Z

@adrianbumbas Can you share the reference at which "it" defines metabase user with UID of 2000 ?

Answer 2 · 2023-09-06T06:20:10.000Z

Run this command on the metabase pod

/# cat /etc/passwd | grep metabase
metabase:x:2000:2000:Linux User,,,:/home/metabase:/bin/ash

Answer 3 · 2023-09-30T16:50:11.000Z

I have no idea how UID of 2000 got there and there is no official document for running metabase as non-root user. It seem no one ever tried to do so.

If you have experiences in that, please share your suggestion.

Answer 4 · 2023-10-02T08:29:33.000Z

There is absolutely no reason for metabase to run as root. Please specify securityContext at the deployment level and I will do some tests.

Answer 5 · 2023-10-02T14:49:20.000Z

@adrianbumbas You should fork/clone the chart, add securityContext and test on it first. When we confirm it work then I can merge your fork via a PR

Answer 6 · 2023-11-21T18:25:26.000Z

I created a PR that adds hooks so that you can specify your own security context. If you would prefer a different solution let me know. This should not be a breaking change and would allow users who have specific security restraints to use the chart. #89.

Answer 7 · 2023-12-20T10:24:37.000Z

Thanks for the update, I just tested successfully with the following settings:

  securityContext:
    runAsUser: 2000
    runAsGroup: 2000
    runAsNonRoot: true
    capabilities:
      drop:
        - ALL

You should add this in the default config for the Helm chart.