Workflow Pod Security Context¶
By default, all workflow pods run as root. The Docker executor even requires privileged: true.
For other workflow executors, you can run your workflow pods more securely by configuring the security context for your workflow pod.
This is likely to be necessary if you have a pod security policy. You probably can't use the Docker executor if you have a pod security policy.
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: security-context-
spec:
securityContext:
runAsNonRoot: true
runAsUser: 8737 #; any non-root user
You can configure this globally using workflow defaults.
It is easy to make a workflow need root unintentionally
You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. mkdir /my-dir would require root.
You must use volumes for output artifacts
If you use runAsNonRoot - you cannot have output artifacts on base layer (e.g. /tmp). You must use a volume (e.g. empty dir).