Run Containers as a Non-Root User

In some Kubernetes environments, containers cannot be run as the root user. For security reasons, it is recommended to run containers as a non-root user in production environments to reduce the risk of potential attacks. This document describes how to configure containers to run as a non-root user using the securityContext.

For TiDB Operator containers, configure the securityContext in the Helm values.yaml file.

The following is an example configuration:

controllerManager:
  securityContext:
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000

Configure containers generated by CR

For containers generated by Custom Resources (CRs), configure the securityContext in any CR, such as PDGroup, TiDBGroup, TiKVGroup, TiFlashGroup, TiCDCGroup, Backup, CompactBackup, BackupSchedule, or Restore.

For CRs such as PDGroup, TiDBGroup, TiKVGroup, TiFlashGroup, and TiCDCGroup, configure the securityContext using the Overlay method. The following is an example configuration for the PDGroup CR:

apiVersion: core.pingcap.com/v1alpha1
kind: PDGroup
metadata:
  name: pd
spec:
  template:
    spec:
      overlay:
        pod:
          spec:
            securityContext:
              runAsUser: 1000
              runAsGroup: 2000
              fsGroup: 2000

For CRs such as Backup, CompactBackup, BackupSchedule, and Restore, configure the podSecurityContext in the spec field. The following is an example configuration for the Backup CR:

apiVersion: br.pingcap.com/v1alpha1
kind: Backup
metadata:
  name: backup
spec:
  podSecurityContext:
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000

Was this page helpful?

Download PDF Request docs changes Ask the community

Run Containers as a Non-Root User

Configure containers related to TiDB Operator

Configure containers generated by CR

Was this page helpful?