forked from argoproj/argo-workflows
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
125 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Empty Dir | ||
|
||
While by default, the Docker and PNS [workflow executors](workflow-executors.md) can get output artifacts from the base layer (e.g. `/tmp`), neither the Kubelet or K8SAPI exectuors can. Nor are you likely to be able to get output artifacts from the base layer if you run your workflo pods a [security context](workflow-pod-security-context.md). | ||
|
||
You can work-around this constraint by mounting volumes onto your pod. The easiest way to do this is to use as `emptytDir` volume. | ||
|
||
!!! Note | ||
This is only needed for output artifacts. Input artifacts are automatically mounted to an empty-dir if needed | ||
|
||
This example shows how to mount an output volume: | ||
|
||
```yaml | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Workflow | ||
metadata: | ||
generateName: empty-dir- | ||
spec: | ||
entrypoint: main | ||
templates: | ||
- name: main | ||
container: | ||
image: argoproj/argosay:v2 | ||
volumeMounts: | ||
- name: out | ||
mountPath: /mnt/out | ||
volumes: | ||
- name: out | ||
emptyDir: { } | ||
outputs: | ||
artifacts: | ||
- name: message | ||
path: /mnt/out/message | ||
|
||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Workflow Pod Security Context | ||
|
||
By default, a workflow pods run as root. The Docker executor even requires `privileged: true`. | ||
|
||
For other [workflow executors](workflow-executors.md), you can run your workflow pods more securely by configuring the [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for your workflow pod. | ||
|
||
This is likely to be necessary if you have a [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). You probably can't use the Docker executor if you have a pod security policy. | ||
|
||
```yaml | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Workflow | ||
metadata: | ||
generateName: security-context- | ||
spec: | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsUser: 8737 #; any non-root user | ||
priviledged: false | ||
``` | ||
|
||
You can configure this globally using [workflow defaults](default-workflow-specs.md). | ||
|
||
!!! Warning "It is easy to make a workflow need root unintentionally" | ||
You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. `mkdir /my-dir` would require root. | ||
|
||
!!! Note "You must use volumes for output artifacts" | ||
If you use `runAsNonRoot` - you cannot have output artifacts on base layer (e.g. `/tmp`). You must use a volume (e.g. [empty dir](empty-dir.md)). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters