helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon temporalio

[Feature Request] Make components work in a read-only file system and non root

Open JRBANCEL opened this issue 4 months ago • 0 comments

Is your feature request related to a problem? Please describe.

A security context like this:

    containerSecurityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
    securityContext:
      fsGroup: 1000
      runAsUser: 1000
      runAsGroup: 1000

is standard.

Several components fail with those settings:

unable to create open /etc/temporal/config/docker.yaml: read-only file system

unable to create open ./config/docker.yaml: permission denied

Describe the solution you'd like

For the FS part, typically, an emptyDir is mounted where the code needs to write. For the rest, not sure what's the issue, but the container should not need to run as root to run.

JRBANCEL avatar Oct 15 '24 05:10 JRBANCEL