search

gardener / gardener-extension-provider-gcp

Gardener extension controller for the GCP cloud provider (https://cloud.google.com).
https://gardener.cloud
Apache License 2.0
13 stars 85 forks source link

csi-driver-node: enable readOnlyRootFilesystem #912

Open Garfield96 opened 1 day ago

Garfield96 commented 1 day ago

How to categorize this PR?

/area robustness /area security /kind enhancement /platform gcp

What this PR does / why we need it: This PR makes the container root filesystem of all containers of the csi-driver-node pod read-only. This improves the robustness of the cluster, since a faulty application cannot write data in an uncontrolled fashion, which in the worst case can affect all pods on the host node. It also hardens the application, since many exploits are based on writing a script or executable to disk and executing it afterwards. This is no longer possible after this change.

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer:

Release note:

gardener-robot commented 1 day ago

@Garfield96 Thank you for your contribution.

gardener-robot-ci-3 commented 1 day ago

Thank you @Garfield96 for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.