Add a flag to enable setting the readOnlyRootFilesystem field in the securityContext for containers used in pipelinerun and taskrun.
Use case
Containers for taskrun and pipelinerun should follow security best practices by setting the readOnlyRootFilesystem field. This practice, recommended by platforms like Azure Kubernetes Service (AKS), enhances container security.
Implementation:
Introduce feature flag set-security-context-read-only-root-filesystem in ConfigMap feature-flags that sets readOnlyRootFilesystem field for all initcontainers and affinity assistant. This should only be applied when feature set-security-context is enabled.
kristofferchr
commented
2 months ago
Feature request
Add a flag to enable setting the readOnlyRootFilesystem field in the securityContext for containers used in pipelinerun and taskrun.
Use case
Containers for taskrun and pipelinerun should follow security best practices by setting the readOnlyRootFilesystem field. This practice, recommended by platforms like Azure Kubernetes Service (AKS), enhances container security.
Implementation:
Introduce feature flag
set-security-context-read-only-root-filesystemin ConfigMapfeature-flagsthat sets readOnlyRootFilesystem field for all initcontainers and affinity assistant. This should only be applied when featureset-security-contextis enabled.