Open zsolooo opened 8 months ago
I also wanted to raise an issue for this. We have the same approach forcing every workload to set the field pod.spec.containers.securityContext.readOnlyRootFilesystem
to true
.
For /var/www
there was a workaround as mentioned until
was implemented. Now we are unable to workaround this.
Update: Found a recent PR which should fix this:
But it still seems not possible. @kaitimmer does it still work for you?
But it still seems not possible. @kaitimmer does it still work for you?
Actually no, because I missed this second part. Currently, we run opencost with an exception to the rule. My hope is that this fixes all of the places where it is needed. But if you can check again, that would be great. 4-eyes more than 2 :)
I still get the message in version 1.111.0
/usr/local/bin/docker-entrypoint.sh: line 21: can't open /etc/nginx/conf.d/default.nginx.conf.template: no such file
Has anyone managed to overcome this problem?
has there been any fix or known workaround?
This worked for me:
# values.yaml
opencost:
ui:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1001
extraVolumeMounts:
- name: empty-var-www
mountPath: /var/www
extraVolumes:
- name: empty-var-www
emptyDir: {}
Describe the bug As a mandatory K8S cluster hardening policy in our organisation it's required to set
readOnlyRootFilesystem
for each container inside a pod. The actual issues are with the docker-entrypoint script: https://github.com/opencost/opencost/blob/develop/ui/docker-entrypoint.sh#L21 It tries to write a few files to the root volume (/var/www
and/etc/nginx/conf.d
). In case of/var/www
it was possible to workaround the issue by attaching a writable emptyDir volume to/var/www
, however the same approach was not possible with/etc/nginx/conf.d
, because mounting a volume on that path hides files that are already existing on that path (entrypoint script tries to read config template to use for envsubst).This issue makes the pod unable to start (CrashLoopBackoff).
To Reproduce with the tried workaround Steps to reproduce the behavior:
To Reproduce with the described workaround (still failing) Steps to reproduce the behavior:
Expected behavior Pod starts up correctly with readonly root filesystem
Screenshots Not relevant
Which version of OpenCost are you using? OpenCost: v1.109.0 Helm chart: v1.32.0
Additional context None