callumpjackson
commented
1 month ago Hi - sounds like a good enhancement. Look forward to the PR.
Open wangshu3000 opened 1 month ago
callumpjackson
commented
1 month ago Hi - sounds like a good enhancement. Look forward to the PR.
wangshu3000
commented
1 month ago Thanks. @callumpjackson I've finished code change, once i finish the review i'll push to this repo.
Set readOnlyRootFileSystem to true for containers is a best practice from security perspective.
From the document of the mq container repo, the container support running in readOnlyRootFileSystem, but helmchart doesn't support this configuration. https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md#running-with-a-read-only-root-filesystem
Here are a few reasons why we might want to do this:
Immutability: By making the root filesystem read-only, you ensure that the application's environment remains the same as when you deployed it. This can help prevent issues caused by changes to the filesystem.
Preventing Malware Persistence: If a container becomes compromised (e.g., an attacker manages to run a malicious script), a read-only filesystem can prevent the malware from writing files to the filesystem and gaining persistence.
Enforcing Good Application Design: Applications running in containers should be designed to be stateless and to write any persistent data to a separate storage volume, not to the container's filesystem. A read-only root filesystem enforces this design principle.
Reducing the Attack Surface: A read-only filesystem can limit the capabilities of an attacker by preventing them from writing or modifying files on the container's filesystem.
I would like to create a PR to enhance this helm chart.
Basic idea is to create 2 emptyDir volumes, for the /run and /tmp folder and mount them when the readOnlyRootFileSystem is set to true.