Skip to content

feat: add non-root user to Docker images for PSA restricted compliance#3356

Open
will-corrigan wants to merge 9 commits into
hatchet-dev:mainfrom
will-corrigan:feat/non-root-docker-images
Open

feat: add non-root user to Docker images for PSA restricted compliance#3356
will-corrigan wants to merge 9 commits into
hatchet-dev:mainfrom
will-corrigan:feat/non-root-docker-images

Conversation

@will-corrigan
Copy link
Copy Markdown

@will-corrigan will-corrigan commented Mar 20, 2026
edited
Loading

Description

Adds a hatchet system user (UID 1000) to the servers and frontend Dockerfiles with explicit file ownership via COPY --chown, enabling Kubernetes deployments to opt into non-root execution.

Images continue to run as root by default — no breaking changes for existing users.

Type of change

  • New feature (non-breaking change which adds functionality)

What's Changed

Dockerfiles

  • build/package/servers.dockerfile: Create hatchet user (UID 1000), COPY --chown=hatchet:hatchet for binary and atlas-apply.sh
  • build/package/frontend.dockerfile: Create hatchet user (UID 1000), COPY --chown=hatchet:hatchet for hatchet-staticfileserver binary
  • build/package/dashboard.dockerfile: No non-root support (nginx requires root for port 80). Added TODO comment for future nginx-unprivileged migration.

Documentation

  • Added Pod Security Standards configuration section to frontend/docs/pages/self-hosting/kubernetes-helm-configuration.mdx

Why COPY --chown?

Makes file ownership explicit rather than relying on Alpine's default umask. When running as UID 1000, binaries owned by hatchet:hatchet are unambiguously accessible.

Usage

After this change, users can run Hatchet as non-root:

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000

No action needed for existing deployments — they continue to run as root.

Companion PR

hatchet-dev/hatchet-charts#45 adds securityContext templating to the Helm charts.

Testing

  • task fmt — all pass
  • task test — all unit tests pass
  • task test-integration — all integration tests pass
  • All 3 Docker images build successfully
  • Verified on servers and frontend images:
    • User hatchet exists (UID 1000)
    • Binary files owned by hatchet:hatchet
    • Containers run correctly as --user 1000:1000
    • Binaries start successfully as non-root

@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 20, 2026

@will-corrigan is attempting to deploy a commit to the Hatchet Team on Vercel.

A member of the Team first needs to authorize it.

@promptless-for-oss
Copy link
Copy Markdown

promptless-for-oss commented Mar 20, 2026

📝 Documentation updates detected!

New suggestion: Update self-hosting docs for non-root Docker images and PSA compliance

Tip: Assign suggestions to team members in the Promptless dashboard to claim work 👥

@will-corrigan
feat: add non-root user to Docker images for PSA restricted compliance
a053362 
Create a hatchet system user (UID 1000) in all three Dockerfiles so
Kubernetes deployments can opt into non-root execution via securityContext.

Images continue to run as root by default for backward compatibility.
To run as non-root, set runAsUser: 1000 in the pod securityContext or
pass --user 1000 to docker run.

Signed-off-by: Will Corrigan <will-corrigan@users.noreply.github.com>
@will-corrigan will-corrigan force-pushed the feat/non-root-docker-images branch from f51420e to a053362 Compare March 20, 2026 22:21
This was referenced Mar 20, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@will-corrigan @promptless-for-oss