rstudio in kubernetes - runAsNonRoot context

[radhupr]

Container image name

rocker/rstudio:4.4.2

Container image digest

No response

What operating system are you seeing the problem on?

Linux

System information

Kubernetes cluster 1.30
Docker image : rocker/rstudio:4.4.2

Bug description

Hi Team,
I want to run rstudio server (free version) on kubernetes. If I'm taking wrong approach here, please guide me on how to do the setup in kubernetes.
I'm using the image rocker/rstudio:4.4.2 and trying to run it as nonRoot user. (same noted with image rocker/tidyverse:4.4.2)
The pod spec is as follows

spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name : rstudio
        image:  rocker/tidyverse:4.4.2
        env:
          - name: USERID
            value: "1001"
          - name: GROUPID
            value: "1001"
        securityContext:
          allowPrivilegeEscalation: false
        resources:  
          requests:
            memory: "200Mi"  
            cpu: "3000m"     
          limits:
            memory: "5000Mi"

The container is failing to start with below error
s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Permission denied

Reference to discussion forum on same issue: https://forum.posit.co/t/rstudio-server-in-kubernetes/195626/4

Can you help in addressing the issue.

How to reproduce this bug?

Run a pod with above mentioned spec. The container fail to startup.

[nathanweeks]

The approach described in the Rocker Singularity guide, which calls rserver directly, could be adapted to run RStudio Server on Kubernetes with a non-root user.

Minimal example using a Pod (though StatefulSet would probably be a better choice), disregarding Ingress (or Gateway, etc.), persistent volume for /home/rstudio, and storing the password in a Secret (assuming authentication isn't handled at the Ingress layer):

apiVersion: v1
kind: Pod
metadata:
  name: rstudio
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
  containers:
    - name: rstudio
      image: ghcr.io/rocker-org/rstudio:4.4.2
      ports:
        - containerPort: 8787
      env:
        - name: USER
          value: rstudio
        - name: PASSWORD
          value: my-password
      volumeMounts:
        - name: rstudio-home
          mountPath: /home/rstudio
        - name: run
          mountPath: /run
        - name: var-lib-rstudio-server
          mountPath: /var/lib/rstudio-server
      securityContext:
        allowPrivilegeEscalation: false
      resources:  
        requests:
          memory: "200Mi"  
          cpu: "3000m"     
        limits:
          memory: "5000Mi"
      command: ["rserver", "--auth-none=0", "--auth-pam-helper-path=pam-helper", 
                           "--auth-stay-signed-in-days=30", "--auth-timeout-minutes=0",
                           "--server-user=rstudio"]
  volumes:
    - name: rstudio-home
      emptyDir: {}
    - name: run
      emptyDir: {}
    - name: var-lib-rstudio-server
      emptyDir: {}

Example: create the pod in the default namespace, and use port-forwarding to access:

kubectl apply -f rstudio.yaml
kubectl port-forward rstudio 8787
... point your web browser to http://localhost:8787, and log in with user "rstudio" and password "my-password" ...