Possibility to run as readOnlyRootFilesysystem

apache / solr-operator

Official Kubernetes operator for Apache Solr

https://solr.apache.org/operator

Apache License 2.0

243 stars 112 forks source link

Possibility to run as readOnlyRootFilesysystem #624

Closed thomaswoeckinger closed 7 months ago

thomaswoeckinger commented 9 months ago

In Openshift environments (may in others too) it is possible to restrict containers with SecurityContextConstraints (SCC).

Especial setting the root filesystem to read only would increase security.

Currently the init container setup-zk? is preventing read only root filesystem, as it is writing to /tmp.

So if this container would mount an emptyDir to /tmp it would be possible to set the root filesystem to read only.

radu-gheorghe commented 8 months ago

Just to make sure I'm on the right track: we'd first need to allow setting container-level securityContext in the Helm chart, correct?

Because it doesn't seem to be currently possible. We have podOptions.podSecurityContext but that seems to refer to pod-level securityContext options, such as runAsUser. readOnlyRootFilesystem would be at the container level.

Oh, and I setup-zk is only created when we specify a chroot. I guess that in order to properly test things, that container should also have readOnlyRootFilesystem in its definition, correct? And there's no good reason not to have readOnlyRootFilesystem on that container (once it works like that), correct?

I'll continue poking at this under the assumption that all of the above are correct 🙂 but any feedback is welcome.

thomaswoeckinger commented 8 months ago

It is not that complicated, it is sufficient to use an emptyDir and mount it to /tmp. This is because readOnlyRootFilesystem is not used wirh mount points.

HoustonPutman commented 8 months ago

Yeah @radu-gheorghe , Thomas is not saying that we need to be able to specify readOnlyFilesystem, as that is already possible. We just need to make sure any folder that we write to in Solr or in the init containers is backed by a volume (ephemeral volumes by default), so that we don't see an error when the readOnlyFilesystem option is used.

radu-gheorghe commented 8 months ago

OK, so I'll change zk-init to mount an emptyDir into /tmp. I'll also add readOnlyFilesystem to its definition in order to test it, but I'd like to leave it like that, I don't see a reason not to. Sounds good?

And I'll also try to test with readOnlyFilesystem everywhere. Maybe the Solr container also writes to /tmp or somewhere funky. I couldn't do that so far, but I'll press on 😁