Container Backends - Reviewate Docs

Overview

When deployed as a platform, each code review runs in an isolated container that is destroyed after completion. Reviewate supports two container backends:

Feature	Docker	Kubernetes
Resource limits	Yes	Yes
Non-root execution	Yes	Yes
Network isolation	Yes	Yes (+ NetworkPolicy)
Namespace isolation	No	Yes
Pod security context	No	Yes
Node selectors/tolerations	No	Yes
Service account RBAC	No	Yes

Docker Backend

Default for Docker Compose deployments. Configuration in backend/configs/docker.yaml:

container:
  enabled: true
  backend: docker
  watcher:
    enabled: true
    reconcile_interval: 60
  docker:
    socket: tcp://docker-proxy:2375
    image: reviewate/code-reviewer:latest
    network: reviewate_reviewate-network
    memory_limit: 4g
    cpu_limit: 2.0
    timeout: 600
    cleanup_containers: false

Docker Options

Option	Default	Description
`socket`	`tcp://docker-proxy:2375`	Docker daemon socket
`image`	`reviewate/code-reviewer:latest`	Code reviewer container image
`network`	`null`	Docker network to attach containers to
`memory_limit`	`4g`	Maximum memory per container
`cpu_limit`	`2.0`	Maximum CPU cores per container
`timeout`	`600`	Timeout in seconds (10 minutes)
`cleanup_containers`	`false`	Remove containers after completion

Kubernetes Backend

For production deployments. Configuration in backend/configs/kubernetes.yaml:

container:
  enabled: true
  backend: kubernetes
  watcher:
    enabled: true
    reconcile_interval: 60
  kubernetes:
    namespace: reviewate
    image: reviewate/code-reviewer:latest
    service_account: reviewate
    timeout: 600
    memory_limit: 4Gi
    memory_request: 1Gi
    cpu_limit: "2"
    cpu_request: 500m
    image_pull_policy: IfNotPresent
    cleanup_jobs: true
    run_as_non_root: true
    run_as_user: 1000
    run_as_group: 1000

Kubernetes Options

Option	Default	Description
`namespace`	`reviewate`	Namespace for review jobs
`image`	`reviewate/code-reviewer:latest`	Code reviewer container image
`service_account`	`reviewate`	Service account for pods
`timeout`	`600`	Timeout in seconds
`memory_limit`	`4Gi`	Memory limit per pod
`memory_request`	`1Gi`	Memory request per pod
`cpu_limit`	`2`	CPU limit per pod
`cpu_request`	`500m`	CPU request per pod
`image_pull_policy`	`IfNotPresent`	When to pull the image
`cleanup_jobs`	`true`	Delete completed jobs
`run_as_non_root`	`true`	Enforce non-root execution
`run_as_user`	`1000`	UID to run containers as
`run_as_group`	`1000`	GID to run containers as

Environment Variable Overrides

Some Kubernetes options can be set via environment variables:

KUBE_NAMESPACE=reviewate-jobs
KUBE_SERVICE_ACCOUNT=reviewate
KUBE_CLEANUP_JOBS=true

Container Watcher

Both backends use a watcher that monitors container status via the runtime API:

Docker: Watches Docker events for container state changes
Kubernetes: Watches pod status via the Kubernetes API

The watcher also runs periodic reconciliation (default: every 60 seconds) to catch any missed events and clean up stale containers.

watcher:
  enabled: true
  reconcile_interval: 60  # seconds

Security Comparison

Docker provides basic isolation through resource limits and non-root execution. Containers share the Docker network unless explicitly configured.

Kubernetes adds namespace-level isolation, NetworkPolicy enforcement, pod security contexts, and RBAC. This makes it the recommended choice for production deployments with sensitive codebases.

See Container Isolation for the full security model.