[Question]: Is there a way to run the agents in K8s with ReadOnlyFilesystem and unprivileged?

maragunde93 commented 6 months ago

Describe your question

Hi folks, I have some AZDO Agents deployed on a K8s clusters and I would like to fix some security items found by Twistlock, especifically the container should run with:

ReadonlyFileSystem: true
Privileged: False
AllowPrivilegedEscallation: False
Non root

I have been trying these policies by myself but found a lot of errors along the way, so I think asking here would be the best.

I would like to know:

Is it possible to run the agents with this settings on the current version?
If not, is there a roadmap to have this implemented?

Thanks

Versions

v3.238.0 - Linux

Environment type (Please select at least one enviroment where you face this issue)

[X] Self-Hosted
[ ] Microsoft Hosted
[ ] VMSS Pool
[X] Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Operation system

No response

Version controll system

No response

Azure DevOps Server Version (if applicable)

No response

aleksandrlevochkin commented 6 months ago

Hi @maragunde93 thank you for your question. We are working on higher-prioritized tasks at the moment, but we'll get back to this one as soon as we can.

jgschwendswica commented 1 month ago

Hi @aleksandrlevochkin I was recently working on the migration of our agents from VMSS to AKS. It was quite a struggle to get things running and quite a few nasty workarounds were needed, since we need to use read-only filesystems. Are there any updates regarding this topic?

Regards, Jonas

microsoft / azure-pipelines-agent