Closed thomaswoeckinger closed 7 months ago
Just to make sure I'm on the right track: we'd first need to allow setting container-level securityContext
in the Helm chart, correct?
Because it doesn't seem to be currently possible. We have podOptions.podSecurityContext
but that seems to refer to pod-level securityContext
options, such as runAsUser
. readOnlyRootFilesystem
would be at the container level.
Oh, and I setup-zk
is only created when we specify a chroot. I guess that in order to properly test things, that container should also have readOnlyRootFilesystem
in its definition, correct? And there's no good reason not to have readOnlyRootFilesystem
on that container (once it works like that), correct?
I'll continue poking at this under the assumption that all of the above are correct 🙂 but any feedback is welcome.
It is not that complicated, it is sufficient to use an emptyDir and mount it to /tmp. This is because readOnlyRootFilesystem is not used wirh mount points.
Yeah @radu-gheorghe , Thomas is not saying that we need to be able to specify readOnlyFilesystem
, as that is already possible. We just need to make sure any folder that we write to in Solr or in the init containers is backed by a volume (ephemeral volumes by default), so that we don't see an error when the readOnlyFilesystem
option is used.
OK, so I'll change zk-init
to mount an emptyDir
into /tmp
. I'll also add readOnlyFilesystem
to its definition in order to test it, but I'd like to leave it like that, I don't see a reason not to. Sounds good?
And I'll also try to test with readOnlyFilesystem
everywhere. Maybe the Solr container also writes to /tmp
or somewhere funky. I couldn't do that so far, but I'll press on 😁
In Openshift environments (may in others too) it is possible to restrict containers with SecurityContextConstraints (SCC).
Especial setting the root filesystem to read only would increase security.
Currently the init container
setup-zk
? is preventing read only root filesystem, as it is writing to/tmp
.So if this container would mount an
emptyDir
to /tmp it would be possible to set the root filesystem to read only.