Skip to content

Workflow Pod Security Context

By default, a workflow pods run as root. The Docker executor even requires privileged: true.

For other workflow executors, you can run your workflow pods more securely by configuring the security context for your workflow pod.

This is likely to be necessary if you have a pod security policy. You probably can't use the Docker executor if you have a pod security policy.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: security-context-
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 8737 #; any non-root user

You can configure this globally using workflow defaults.

It is easy to make a workflow need root unintentionally

You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. mkdir /my-dir would require root.

You must use volumes for output artifacts

If you use runAsNonRoot - you cannot have output artifacts on base layer (e.g. /tmp). You must use a volume (e.g. empty dir).