Workflow Pod Security Context¶
By default, all workflow pods run as root. The Docker executor even requires
This is likely to be necessary if you have a pod security policy. You probably can't use the Docker executor if you have a pod security policy.
apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: generateName: security-context- spec: securityContext: runAsNonRoot: true runAsUser: 8737 #; any non-root user
You can configure this globally using workflow defaults.
It is easy to make a workflow need root unintentionally
You may find that user's workflows have been written to require root with seemingly innocuous code. E.g.
mkdir /my-dir would require root.
You must use volumes for output artifacts
If you use
runAsNonRoot - you cannot have output artifacts on base layer (e.g.
/tmp). You must use a volume (e.g. empty dir).