Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Cannot run temporal services as non-root user in kubernetes #307

Closed
fivos opened this issue Aug 1, 2022 · 1 comment
Closed

[Bug] Cannot run temporal services as non-root user in kubernetes #307

fivos opened this issue Aug 1, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@fivos
Copy link

fivos commented Aug 1, 2022
edited
Loading

What are you really trying to do?

I'm trying to deploy the Temporal helm chart on Kubernetes, with an existing MySQL DB as the only dependency (i.e not using Cassandra or Elasticsearch). I have a requirement to run all services on Kubernetes as a non-root user.

Describe the bug

The issue described is the same as temporalio/temporal#1263 and mentioned in this forum thread. The original issue was closed with #221, which introduced the following:

securityContext:
  fsGroup: 1000 #temporal group
  runAsUser: 1000 #temporal user

However, the if statement preceding the securityContext block, requires either Cassandra or Elasticsearch to be enabled. Since I'm not using either, securityContext is not added to my deployment.

Minimal Reproduction

Install helm chart with

helm install -f values/values.mysql.yaml temporaltest \
  --set elasticsearch.enabled=false \
  --set server.config.persistence.default.sql.user=mysql_user \
  --set server.config.persistence.default.sql.password=mysql_password \
  --set server.config.persistence.visibility.sql.user=mysql_user \
  --set server.config.persistence.visibility.sql.password=mysql_password \
  --set server.config.persistence.default.sql.host=mysql_host \
  --set server.config.persistence.visibility.sql.host=mysql_host . --timeout 900s

Environment/Versions

  • OS and processor: Linux
  • Temporal Version: 1.17.1
  • Are you using Docker or Kubernetes or building Temporal from source?: Kubernetes
@fivos fivos added the bug Something isn't working label Aug 1, 2022
fivos added a commit to fivos/temporal-helm-charts that referenced this issue Aug 2, 2022
@fivos
Run as nonRoot with Cassandra and Elasticsearch disabled
7d84271 
Update server-deployment template to ensure that securityContext is added even if Cassandra and Elasticsearch are disabled (e.g. for a MySQL only installation).

Resolves: temporalio#307
@fivos fivos mentioned this issue Aug 2, 2022
Closed
@roberto-retool roberto-retool mentioned this issue Jun 14, 2023
Merged
@robholland
Copy link
Contributor

Fixed in #494

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Run as nonRoot with Cassandra and Elasticsearch disabled fivos/temporal-helm-charts
2 participants
@robholland @fivos