synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-12 00:14:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d4208d23aadef29fcaf17888538f13e12a99ded5
coder/examples/templates/kubernetes
History
Andrey f65051966c feat: add run_as_non_root=True to Kubernetes Starter template (#16512) 
This document sounds like `run_as_non_root=True` should be enabled for
workspaces.

https://coder.com/docs/install/kubernetes#kubernetes-security-reference
> All containers must run as non-root user
>  - Control plane - ...
> - Workspaces - Workspace pod UID is [set in the Terraform template
here](f57ce97b5a/examples/templates/kubernetes/main.tf (L274-L276)),
and are not required to run as root.

Administrators of the Kubernetes of a cluster I am working on have added
a security check on it, and prevent creating pods, without
`run_as_non_root=True`. So, I need to set it every time I create a
template.

According to the docs used with `run_as_user=1000` it should not have
negative effects and could be safely added.
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/
2025-02-12 10:58:33 -05:00
..
main.tf
feat: add run_as_non_root=True to Kubernetes Starter template (#16512)
2025-02-12 10:58:33 -05:00
README.md
chore: update documentation links to the new format (#13797)
2024-07-10 21:31:37 +03:00

README.md

display_name, description, icon, maintainer_github, verified, tags
display_name description icon maintainer_github verified tags
Kubernetes (Deployment) Provision Kubernetes Deployments as Coder workspaces ../../../site/static/icon/k8s.png coder true
kubernetes
container

Remote Development on Kubernetes Pods

Provision Kubernetes Pods as Coder workspaces with this example template.

Prerequisites

Infrastructure

Cluster: This template requires an existing Kubernetes cluster

Container Image: This template uses the codercom/enterprise-base:ubuntu image with some dev tools preinstalled. To add additional tools, extend this image or build it yourself.

Authentication

This template authenticates using a ~/.kube/config, if present on the server, or via built-in authentication if the Coder provisioner is running on Kubernetes with an authorized ServiceAccount. To use another authentication method, edit the template.

Architecture

This template provisions the following resources:

  • Kubernetes pod (ephemeral)
  • Kubernetes persistent volume claim (persistent on /home/coder)

This means, when the workspace restarts, any tools or files outside of the home directory are not persisted. To pre-bake tools into the workspace (e.g. python3), modify the container image. Alternatively, individual developers can personalize their workspaces with dotfiles.

Note

This template is designed to be a starting point! Edit the Terraform to extend the template to support your use case.