Configure a Non-Root Install

Prevent Couchbase Server containers from running as root.

When using Kubernetes all pods are run as root by default. This is a security concern for many enterprises, so they enforce pods be run as a non-root user. By default, Couchbase server pods will change their user to couchbase (UID 1000), however performing a kubectl exec into a pod still runs as root. This how-to shows how to run as a non-root user in all circumstances.

Red Hat OpenShift users should already have mandatory user randomization, so can ignore this guide.

Couchbase Cluster Configuration

Non-root Couchbase Server installs are configured as follows:

apiVersion: couchbase.com/v2
kind: CouchbaseCluster
spec:
  securityContext:
    runAsNonRoot: false (1)
    runAsUser: 1000 (2)
1 spec.securityContext.runAsNonRoot is not necessary to function, however illustrates that this field must be false. The Couchbase Server container image will be validated by kubelet to ensure it runs as a non-root user account when this is set to true. As the container doesn’t run as a non-root account the validation will fail.
2 spec.securityContext.runAsUser is required, and will execute all processes as this user. The value must be 1000 as this maps to the couchbase user within the container image.