k6-browser Docker image not working in non-privileged environments

[tao-aleixandre]

trafficstars

Brief summary

The current official Docker image (grafana/k6:0.57.0-with-browser) requires privileged capabilities (root access or seccomp adjustments) to properly launch Chromium. (SYS_ADMIN capability or root similar)

k6 version

v0.57.0

OS

Kubernetes cluster running on Linux

Docker version and image (if applicable)

grafana/k6:0.57.0-with-browser

Steps to reproduce the problem

Steps to Reproduce the Problem

1. Create a Kubernetes Pod in a restricted namespace:

   • The namespace has Pod Security Admission (PSA) or Gatekeeper policies applied.
   • Example restrictions:
     • privileged: false
     • allowPrivilegeEscalation: false
     • runAsNonRoot: true

2. Deploy a Pod using the official Docker image:

   • Image: grafana/k6:0.57.0-with-browser
   • Command:

     k6 run /path/to/browser-test.js
     

3. Run a basic browser test (xk6-browser) in the pod:

   • The test uses browser.newPage(), navigates to a URL, performs login steps, and takes screenshots.

4. Check the error when Chromium launches:

   • Error message:

     process with PID xx unexpectedly ended: signal: trace/breakpoint trap (core dumped)
     error building browser on IterStart: launching browser: browser process ended unexpectedly
     

   • This happens immediately after calling:

     const page = await browser.newPage();
     
     
     

Expected behaviour

The k6-browser container should be able to run in restricted kubernetes environments: - Run as a non-root user. - Not require CAP_SYS_ADMIN

Actual behaviour

The k6-browser Docker image fails to run in Kubernetes environments where containers are restricted from running as root or with elevated privileges. Error shows that Chromium crashes in the middle of the execution.