Conversation
- Run Workbench as non-root by default via serviceAccountUser - Invoke supervisord with -u "" when running Workbench non-root - Fix supervisord non-root workaround: pass -u <serviceAccountUser> instead of -u "" - Fix non-root supervisord startup: emptyDir, path rewriting, fsGroup - Simplify prestart-launcher.bash for non-root operation - Simplify prestart-workbench.bash for non-root operation - Update secrets test mode assertions for non-root default (0640) - Document rootless prestart script simplification - Drop supervisord non-root workaround, use image default command - Add explicit config.sssd toggle, off by default - Add non-root config defaults for launcher auth, PAM, provisioning - Default serviceAccountUser to root, keep non-root opt-in - Avoid contradictory root securityContext on user override
Previously sssd.enabled defaulted to false with a hard render failure if set to true while running non-root. Now sssd.enabled defaults to true and is silently skipped when serviceAccountUser is not root, preserving existing root behavior with no BREAKING change. Introduce rstudio-workbench.sssd.active helper to centralize the effective-SSSD gate (enabled AND root) used across helpers, configmaps, and NOTES.txt warnings.
…tUser Add top-level runAsRoot: true (default) as the single binary control for pod privilege. Previously, serviceAccountUser == "root" was the implicit trigger for all root-vs-non-root behavior (securityContext, SSSD, secret file modes, rserver.conf defaults), conflating the OS application user with the Kubernetes security concept. serviceAccountUser now solely controls server-user in rserver.conf. All privilege-gating logic switches from eq serviceAccountUser "root" to .Values.runAsRoot / not .Values.runAsRoot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
So idea here is to wire up a rootless version of workbench in the helm charts,
There's a simple high level flag (
pod. runAsRoot) this defaults to true (for now). But you can set it to false to basically wire in a pretty separate mode for workbench. Where,a.
sssdis disabled - you need to use SCIM instead.b. Workbench and pods that it launches will use the service account instead.
c. There's some other toggling which is more minor.
If you're in the rootless mode you can also specify the service account user and uid. For this to really work though I think you would need to build your own version of the workbench image. The user + uid is baked into there with my other changes.
Closes https://github.com/rstudio/rstudio-pro/issues/10847