Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

Configure a Non-Root Install

    March 30, 2025
    + 12
    Prevent Couchbase Server containers from running as root.

    When using Kubernetes all pods are run as root by default. This is a security concern for many enterprises, so they enforce pods be run as a non-root user. By default, Couchbase server pods will change their user to couchbase (UID 1000), however performing a kubectl exec into a pod still runs as root. This how-to shows how to run as a non-root user in all circumstances.

    Red Hat OpenShift users should already have mandatory user randomization, so can ignore this guide.

    Couchbase Cluster Configuration

    Non-root Couchbase Server installs are configured as follows:

    yaml
    Copy
    apiVersion: couchbase.com/v2
kind: CouchbaseCluster
spec:
  securityContext:
    runAsNonRoot: false (1)
    runAsUser: 1000 (2)
    1 spec.securityContext.runAsNonRoot is not necessary to function, however illustrates that this field must be false. The Couchbase Server container image will be validated by kubelet to ensure it runs as a non-root user account when this is set to true. As the container doesn’t run as a non-root account the validation will fail.
    2 spec.securityContext.runAsUser is required, and will execute all processes as this user. The value must be 1000 as this maps to the couchbase user within the container image.