Skip to content

Workflow Pod Security Context

By default, all workflow pods run as root.

You can run your workflow pods more securely by configuring the security context for your workflow pod.

This is likely to be necessary if pod security standards (PSS) are enforced by PSA or other means, or if you have a pod security policy (deprecated).

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: security-context-
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 8737 #; any non-root user

You can configure this globally using workflow defaults.

It is easy to make a workflow need root unintentionally

You may find that user's workflows have been written to require root with seemingly innocuous code. E.g. mkdir /my-dir would require root.

You must use volumes for output artifacts

If you use runAsNonRoot - you cannot have output artifacts on base layer (e.g. /tmp). You must use a volume (e.g. empty dir).


Have a question?

Search on GitHub Discussions and Slack.