add notes re: code executor securityContext (#213)

tryretool · Feb 21, 2024 · e7bf94e · e7bf94e
1 parent 97f1220
commit e7bf94e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/kubernetes-with-temporal/retool-code-executor-container.yaml b/kubernetes-with-temporal/retool-code-executor-container.yaml
@@ -39,5 +39,8 @@ spec:
             requests:
               cpu: 1000m
               memory: 1024Mi
+          # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+          # If your deployment does not support privileged access, you can set this to false to not use nsjail.
+          # Without nsjail, all code is run without sandboxing within your deployment.
           securityContext:
             privileged: true
diff --git a/kubernetes/retool-code-executor-container.yaml b/kubernetes/retool-code-executor-container.yaml
@@ -39,5 +39,8 @@ spec:
             requests:
               cpu: 1000m
               memory: 1024Mi
+          # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+          # If your deployment does not support privileged access, you can set this to false to not use nsjail.
+          # Without nsjail, all code is run without sandboxing within your deployment.
           securityContext:
             privileged: true