I would like to add allowPrivilegeEscalation

[JacksonChen63]

Env: GKE 1.30.5-gke.1443001
TiDB: 8.4.0

I have try to modify the CRD tidbdashboards.pingcap.com add the securityContext.allowPrivilegeEscalation to initContinaer\ ephemeral\ containerable. After that I could add it on Kind:TidbDashboard and apply successful but still could exec pod tidbdashboard and execute su - .

Here is my tidb-dashboard and crd tidbdashboards.pingcap.com configuration.

tidb.zip

[csuzhangxc]

what's the result of su -, does it succeed or ask you to enter the password?

[JacksonChen63]

@csuzhangxc , it ask me enter the password

[csuzhangxc]

I tried to create a Pod directly with the following YAML, and it asked me to enter the password. So if we want to fully disable this, we may also need to rebuild the image.

apiVersion: v1
kind: Pod
metadata:
  name: non-root-pod
spec:
  securityContext:
    runAsNonRoot: true
  containers:
    - name: my-container
      image: pingcap/tidb-dashboard:v8.4.0
      command: ["sh", "-c", "sleep 1h"]
      securityContext:
        allowPrivilegeEscalation: false
        runAsUser: 101

[JacksonChen63]

I tried to create a Pod directly with the following YAML, and it asked me to enter the password. So if we want to fully disable this, we may also need to rebuild the image.

apiVersion: v1
kind: Pod
metadata:
name: non-root-pod
spec:
securityContext:
runAsNonRoot: true
containers:
- name: my-container
image: pingcap/tidb-dashboard:v8.4.0
command: ["sh", "-c", "sleep 1h"]
securityContext:
allowPrivilegeEscalation: false
runAsUser: 101

Hi @csuzhangxc, Do you know how to do configure to fully disable this?

[JacksonChen63]

Hi @csuzhangxc ,
I'm wondering to know is there have any update with it? Thanks.