Code-executor running as a privileged container

Mandaflorian · May 13, 2024, 8:02am

Hello,

we reported this issue a couple of weeks ago but didn't hear anything back.
So just wanted to ask if there is any answer for this: https://github.com/tryretool/retool-helm/issues/141

I'm currently in the process of installing the code-executor in the self-hosted version. However, I've encountered an issue where the pod is not being scheduled due to it running as a privileged container.

pods "retool-code-executor-857b777d78-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

I'd appreciate clarification on whether there is a specific reason for the code-executor needing to run as a privileged container. Is it possible to eliminate this requirement and instead configure the SecurityContext directly from the values YAML file?

Thank you

Tess · June 13, 2024, 8:47pm

Hi @Mandaflorian!

Thanks for reaching out here. If you don't need custom JS libraries and custom Python libraries, you could try this environment variable: Code executor environment variables | Retool Docs

Gangeshwar_Krishnamurthy · June 29, 2024, 9:29pm

this leads to an error thrown by the code-executor container "Code executor container is specified to run in unprivileged mode (CONTAINER_UNPRIVILEGED_MODE=true) but the user running container is not the expected user, retool_user (uid 1001) in retool_user_group (gid 1001)"

Retool version: 3.52.6-stable

Tess · July 2, 2024, 4:11pm

Hey @Gangeshwar_Krishnamurthy,

I followed up here: How to change uid in CodeExecutor pod in Openshift