diff --git a/platform/hosting/self-managed/operator.mdx b/platform/hosting/self-managed/operator.mdx index a40d197787..39480cdba0 100644 --- a/platform/hosting/self-managed/operator.mdx +++ b/platform/hosting/self-managed/operator.mdx @@ -63,12 +63,19 @@ W&B recommends you install with the official W&B Helm chart. #### Run the container as an un-privileged user -OpenShift and similar orchestrators often reject containers that run as root, so W&B containers must be configured to run as a non-root user that still belongs to the root group. By default, containers use a `$UID` of 999. Specify `$UID` >= 100000 and a `$GID` of 0 if your orchestrator requires the container run with a non-root user. +OpenShift and similar orchestrators often reject containers that run as root, so W&B containers must be configured to run as a non-root user that still belongs to the root group. By default, containers use a `$UID` of 999. Specify a `runAsUser` and `fsGroup` **within your project's assigned UID range** and a `$GID` of 0 if your orchestrator requires the container run with a non-root user. W&B must start as the root group (`$GID=0`) for file system permissions to function properly. +Find your OpenShift project's assigned UID range and use the start of that range for both `runAsUser` and `fsGroup`: + +```bash +oc get namespace -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}' +# e.g. 1000810000/10000 → use 1000810000 +``` + Configure security contexts for each W&B component. For example, to configure the API component: ```yaml @@ -77,15 +84,17 @@ api: image: repository: wandb/megabinary tag: 0.74.1 # Replace with your actual version - pod: - securityContext: - fsGroup: 10001 - fsGroupChangePolicy: Always - runAsGroup: 0 - runAsNonRoot: true - runAsUser: 10001 - seccompProfile: - type: RuntimeDefault + # Use the top-level `podSecurityContext` key. The nested `pod.securityContext` + # is NOT applied to runAsUser/fsGroup for these components, so pods would stay + # at the default UID 999 and be rejected by the `restricted-v2` SCC. + podSecurityContext: + fsGroup: 1000810000 # must be within your project's UID range + fsGroupChangePolicy: Always + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1000810000 # must be within your project's UID range + seccompProfile: + type: RuntimeDefault container: securityContext: allowPrivilegeEscalation: false @@ -96,6 +105,10 @@ api: readOnlyRootFilesystem: false ``` + +Both `runAsUser` **and** `fsGroup` must be set within the project's UID range. Setting only `runAsUser` leaves `fsGroup: 0`, which the `restricted-v2` SCC rejects with `fsGroup: Invalid value: []int64{0}: 0 is not an allowed group`. + + If needed, configure a custom security context for other components like `app` or `console`. For details, see [Custom security context](#custom-security-context). ## Deploy W&B Server application