Workflow Pod Security Context¶
By default, all workflow pods run as root.
You can run your workflow pods more securely by configuring the security context for your workflow pod.
This is likely to be necessary if pod security standards (PSS) are enforced by PSA or other means, or if you have a pod security policy (deprecated).
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: security-context-
spec:
securityContext:
runAsNonRoot: true
runAsUser: 8737 #; any non-root user
You can configure this globally using workflow defaults.
It is easy to make a workflow need root unintentionally
You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. mkdir /my-dir would require root.
You must use volumes for output artifacts
If you use runAsNonRoot - you cannot have output artifacts on base layer (e.g. /tmp). You must use a volume (e.g. empty dir).