search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.26k stars 398 forks source link

Add support for running vcluster with readOnlyRootFilesystem set to true #189

Closed matskiv closed 2 years ago

matskiv commented 2 years ago

We have a PR #188 landing with support for setting the securityContext on the vcluster containers, but while testing it I noticed that rsecurityContext.readOnlyRootFilesystem can not be set to true with the current implementation. We are writing a vcluster kube config into container filesystem, and that fails with readOnlyRootFilesystem=true. The fix might be as simple as adding an emptyDir volume for this purpose, or saving the file into the path where PV is mounted, but it just needs a little bit more thought and testing, which I didn't have time for when implementing #188

matskiv commented 2 years ago

The PR (#188) that is referenced in the issue description has been updated. This issue won't be a problem with the new approach taken there.