Running Che and Che workspaces as a non-root in a Kubernetes cluster.

Signed-off-by: Son Nguyen <son.nguyen@softwareag.com>

deploy/kubernetes/helm/che/templates/configmap.yaml

@@ -55,8 +55,8 @@ data:
   CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
   CHE_INFRA_KUBERNETES_PVC_QUANTITY: {{ .Values.global.pvcClaim }}
   CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS: "true"
-  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: "0"
-  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP: "0"
+  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: "{{ .Values.global.securityContext.runAsUser }}"
+  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP: "{{ .Values.global.securityContext.fsGroup }}"
   CHE_LOCAL_CONF_DIR: /etc/conf
   CHE_LOGS_DIR: /data/logs
   CHE_LOG_LEVEL: "INFO"

deploy/kubernetes/helm/che/templates/deployment.yaml

@@ -76,6 +76,9 @@ spec:
         {{- end }}
         image: {{ .Values.cheImage }}
         imagePullPolicy: {{ .Values.cheImagePullPolicy }}
+        securityContext:
+          runAsUser: {{ .Values.global.securityContext.runAsUser }}
+          fsGroup: {{ .Values.global.securityContext.fsGroup }}
         livenessProbe:
           httpGet:
             path: /api/system/state

deploy/kubernetes/helm/che/values.yaml

@@ -58,6 +58,10 @@ global:
     appenderName: "plaintext"
   tracingEnabled: false
   metricsEnabled: false
+  # Run Che and Che workspaces as the same non-root user
+  securityContext:
+    runAsUser: 1724
+    fsGroup: 1724
 
 prometheus:
   alertmanager: