Configure a Non-Root Install

    +
    Prevent Couchbase Server containers from running as root.

    When using Kubernetes all pods are run as root by default. This is a security concern for many enterprises, so they enforce pods be run as a non-root user. By default, Couchbase server pods will change their user to couchbase (UID 1000), however performing a kubectl exec into a pod still runs as root. This how-to shows how to run as a non-root user in all circumstances.

    Red Hat OpenShift users should already have mandatory user randomization, so can ignore this guide.

    Couchbase Cluster Configuration

    Non-root Couchbase Server installs are configured as follows:

    apiVersion: couchbase.com/v2
    kind: CouchbaseCluster
    spec:
      securityContext:
        runAsNonRoot: false (1)
        runAsUser: 1000 (2)
    1 spec.securityContext.runAsNonRoot is not necessary to function, however illustrates that this field must be false. The Couchbase Server container image will be validated by kubelet to ensure it runs as a non-root user account when this is set to true. As the container doesn’t run as a non-root account the validation will fail.
    2 spec.securityContext.runAsUser is required, and will execute all processes as this user. The value must be 1000 as this maps to the couchbase user within the container image.