📣
TiDB Cloud Essential is now in public preview. Try it out →
Sign InStart for Free
AI
Developer
Best Practices
API
Sign InStart for Free

Run Containers as a Non-Root User

In some Kubernetes environments, containers cannot be run as the root user. For security reasons, it is recommended to run containers as a non-root user in production environments to reduce the risk of potential attacks. This document describes how to configure containers to run as a non-root user using the securityContext.

For TiDB Operator containers, configure the securityContext in the Helm values.yaml file.

The following is an example configuration:

controllerManager:
  securityContext:
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000

Configure containers generated by CR

For containers generated by Custom Resources (CRs), configure the securityContext in any CR, such as PDGroup, TiDBGroup, TiKVGroup, TiFlashGroup, TiCDCGroup, Backup, or Restore.

  • For CRs such as PDGroup, TiDBGroup, TiKVGroup, TiFlashGroup, and TiCDCGroup, configure the securityContext using the Overlay method. The following is an example configuration for the PDGroup CR:

    apiVersion: core.pingcap.com/v1alpha1
kind: PDGroup
metadata:
  name: pd
spec:
  template:
    spec:
      overlay:
        pod:
          spec:
            securityContext:
              runAsUser: 1000
              runAsGroup: 2000
              fsGroup: 2000

  • For CRs such as Backup and Restore, configure the podSecurityContext in the spec field. The following is an example configuration for the Backup CR:

    apiVersion: br.pingcap.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  podSecurityContext:
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000

Was this page helpful?