Deploy Appsmith as a Non-Root User on Kubernetes
This page shows you how to deploy Appsmith as a non-root user on a Kubernetes cluster. Running containers as non-root enhances security and is often required by organizational or platform policies. This setup works on clusters like KIND, Minikube, EKS, or GKE. It does not cover Docker-based deployments.
Prerequisites
- A running Kubernetes cluster (KIND, Minikube, or any cloud-based Kubernetes provider)
kubectl
andhelm
installed and configured- Access to Docker Hub or a compatible container registry
- (Optional) External PostgreSQL and Redis instances, if you prefer not to use Helm-managed services
Configure Pull Secret and Helm Values
Set up the image pull secret and define Helm chart values to deploy Appsmith securely as a non-root user.
- Create a DockerHub image pull secret to access the Appsmith image:
kubectl create secret docker-registry dockerhub \
--docker-username=<your-username> \
--docker-password=<your-password> \
--docker-email=<your-email>
- Prepare a
values.yaml
file with the following configuration to run Appsmith as a non-root user:
_image:
repository: appsmith/appsmith-ee
tag: latest
pullPolicy: Always
image:
pullSecrets: dockerhub
mongodb:
enabled: true
redis:
enabled: true
postgresql:
enabled: true
podSecurityContext:
fsGroup: 1001
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "80"
securityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
applicationConfig:
LD_PRELOAD: /usr/local/lib/libnss_wrapper.so
Install Appsmith with Helm
Install Appsmith using Helm and verify that the application is running successfully in your Kubernetes cluster.
- Add the Appsmith Helm repository and install the chart using your customized
values.yaml
file:
helm repo add appsmith https://helm.appsmith.com
helm repo update
helm install appsmith appsmith/appsmith \
-f values.yaml
- To test the deployment, wait for all pods to reach the Running state:
kubectl get pods
Then, check if the Appsmith service is accessible:
kubectl port-forward service/appsmith 8080:80
Open http://localhost:8080
in your browser. You should see the Appsmith setup screen.
- For best security practices, make sure Appsmith is running with the following container settings:
-
Runs as a non-root user (
runAsNonRoot: true
) -
Uses a fixed
runAsUser
,runAsGroup
, andfsGroup
(all set to1001
) -
Enables
seccompProfile: RuntimeDefault
for syscall filtering -
Applies
net.ipv4.ip_unprivileged_port_start
sysctl so Appsmith can bind to ports<1024
without root access
-
MongoDB, Redis, and PostgreSQL are enabled and managed via Helm
-
Ensure the image pull secret is created beforehand and correctly referenced in values.yaml