Posit's professional products are designed to run R and Python code safely. The products take advantage of sandboxing and user impersonation. For example, if Alice is writing R code, Posit Workbench (previously RStudio Server Pro) ensures the code is safely run with Alice's permissions. To seamlessly ensure safe execution for many uses, the products themselves have certain privilege requirements.
When run on server, Posit's professional products typically install and run as root. When used in containers, some of Posit's professional products require container privileges. The table below summarizes permission requirements for Posit Team. For a list of other requirements see the Posit Professional Product Requirements.
Posit Workbench (with or without Local Launcher) |
|
Server |
Requires root to be installed and runs as root. |
Docker |
Requires root in container, but container can be unprivileged if you set the local launcher config unprivileged flag. |
Posit Workbench + Kubernetes Launcher |
|
Server |
Requires root on the server, Kubernetes launcher must meet requirements(1). Session containers (i.e. pods) launched by Kubernetes launcher do not require privilege but temporarily use root in the container. |
Docker |
Requires root in the container, but the container can be unprivileged. Kubernetes launcher must meet requirements(1). Session containers (i.e. pods) launched by Kubernetes launcher do not require privilege but temporarily use root in the container. |
Posit Connect |
|
Server |
Requires root to be installed and runs as root. |
Docker |
Requires root in the container, and the container must be privileged. |
Posit Connect + Kubernetes Launcher |
|
Server |
Requires root to be installed and runs as root. When using Posit Connect + Kubernetes launcher, we recommend the Docker approach which simplifies the installation/configuration steps (e.g. Connect running on Kubernetes, installed by the Helm chart). |
Docker |
Requires root in the container, but the container can be unprivileged. Session containers (i.e. pods) launched by Kubernetes launcher do not require privilege and do not run as root. |
Posit Package Manager |
|
Server |
Recommends a root install but can be installed without root. Does not run as root. |
Docker |
Recommends root within the container but can be setup without root. Container does not need privileges |
(1) See here; Includes full access to a rstudio namespace and limited access (get,watch,list) to the K8s nodes resource API.
Comments