Sign InTry Free

Run Containers as a Non-root User

In some Kubernetes environments, containers cannot be run as the root user. In this case, you can set securityContext to run containers as a non-root user.

Configure TiDB Operator containers

For TiDB Operator containers, you can configure security context in the Helm values.yaml file. All TiDB Operator components (at <controllerManager/scheduler/advancedStatefulset/admissionWebhook>.securityContext) support this configuration.

The following is an example configuration:

controllerManager: securityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000

Configure containers controlled by CR

For the containers controlled by Custom Resource (CR), you can configure security context in any CRs (TidbCluster/DmCluster/TidbInitializer/TidbMonitor/Backup/BackupSchedule/Restore) to make the containers run as a non-root user.

You can use either of the following two types of configuration. If you configure both the cluster level and the component level for a component, only the configuration of the component level takes effect.

  • Configure podSecurityContext at the cluster level (spec.podSecurityContext) for all components. The following is an example configuration:

    spec: podSecurityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000
  • Configure at the component level for a specific component. For example, configuring spec.tidb.podSecurityContext for TidbCluster, spec.master.podSecurityContext for DMCluster. The following is an example configuration:

    spec: pd: podSecurityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000 tidb: podSecurityContext: runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000

Was this page helpful?

Download PDFRequest docs changesAsk questions on DiscordEdit this page
Playground
New
One-stop & interactive experience of TiDB's capabilities WITHOUT registration.
Products
TiDB
TiDB Dedicated
TiDB Serverless
Pricing
Get Demo
Get Started
© 2024 PingCAP. All Rights Reserved.
Privacy Policy.