Code-executor running as a privileged container

[cedenilla]

Hello,

I'm currently in the process of installing the code-executor in the self-hosted version. However, I've encountered an issue where the pod is not being scheduled due to it running as a privileged container.

pods "retool-code-executor-857b777d78-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]

I'd appreciate clarification on whether there is a specific reason for the code-executor needing to run as a privileged container. Is it possible to eliminate this requirement and instead configure the SecurityContext directly from the values YAML file?

Thank you for your assistance.
Daniel

[demitrin]

It looks like we support setting a security context for the code executor service that can let you run it without running as privileged:

retool-helm/charts/retool/templates/deployment_code_executor.yaml

Lines 56 to 60 in 1a07c66

	{{ if .Values.codeExecutor.securityContext }}
	{{ toYaml .Values.codeExecutor.securityContext | indent 10 }}
	{{ else }}
	privileged: true
	{{ end }}

Going to close this for now but feel free to re-open if this isn't sufficient for your deployment