chbmuc
commented
1 year ago Sure! I think this will be a useful security improvement. Please go ahead and send a PR.
Closed timp87 closed 1 year ago
chbmuc
commented
1 year ago Sure! I think this will be a useful security improvement. Please go ahead and send a PR.
timp87
commented
1 year ago Closing this issue. We may continue discussion in https://github.com/metal-stack/helm-charts/pull/67 if needed
My proposal is to set (hardcode) readOnlyRootFilesystem to true for all containers securityContext.
I find this a nice security measure and in my experience many companies enforce this setting to be on for all containers. General rule in such case is to explicitly state what volumes should be mounted. I have tried running csi-driver-lvm (0.5.3) storage class containers (all 6 containers) with readOnlyRootFilesystem set to true and found only one problem. If we agree here I can prepare a PR.