Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[che-dev] Ruunig Che and Che worksapce as non root user.

Hi,

 

I posted this question here https://mattermost.eclipse.org/eclipse/channels/eclipse-che but had no feedback. So, I hope I can get information from the Che Dev community.

 

For security reasons, I would like to start Che and workspaces using a custom stack as a non-root user.

 

Using the latest Che helm chart to deploy it in a Kubernetes cluster, Che and Che.workspaces are run as root. At least that's what I see when shelling into the container and using the id command.

I modified a custom stack and used securityContext.runAsUser and securityContext.fsGroup at the container level to run as an existing user. It seems to come up with that user id.

However, the problem seems to come from the fact that /projects is owned by root:

drwxr-xr-x. 3 root root 4096 Mar 12 19:45 /projects/

 

Clearly, this does not bode too well with that user id when s/he tries to write to /projects.

 

Can this be resolved?
Are there reasons why /projects does not belong to the user/group as specified by the securityContext settings?

Is there a way to change user/group ids of /projects? If so, how?

Are there any other options?

 

Is this a configuration matter or is Che only working with root privileges?

 

Any feedback is greatly appreciated.

 

Son Nguyen

 

Back to the top