Configure a Non-Root Install

      +
      Prevent Couchbase Server containers from running as root.

      When using Kubernetes all pods are run as root by default. This is a security concern for many enterprises, so they enforce pods be run as a non-root user. By default, Couchbase server pods will change their user to couchbase (UID 1000), however performing a kubectl exec into a pod still runs as root. This how-to shows how to run as a non-root user in all circumstances.

      Red Hat OpenShift users should already have mandatory user randomization, so can ignore this guide.

      Couchbase Cluster Configuration

      Non-root Couchbase Server installs are configured as follows:

      apiVersion: couchbase.com/v2
      kind: CouchbaseCluster
      spec:
        securityContext:
          runAsNonRoot: false (1)
          runAsUser: 1000 (2)
      1 spec.securityContext.runAsNonRoot is not necessary to function, however illustrates that this field must be false. The Couchbase Server container image will be validated by kubelet to ensure it runs as a non-root user account when this is set to true. As the container doesn’t run as a non-root account the validation will fail.
      2 spec.securityContext.runAsUser is required, and will execute all processes as this user. The value must be 1000 as this maps to the couchbase user within the container image.