Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1187

readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • shipwright
    • None
    • readOnlyRootFilesystem should be explicitly to true and if required to false for security reason
    • False
    • None
    • False
    • Not Selected
    • To Do

      Epic Goal*

      According to security best practice, it's recommended to set readOnlyRootFilesystem: true for all containers running on kubernetes. All operators and operands should explicitly set readOnlyRootFilesystem to true unless there are legitimate reasons for not doing so and with an explanation to why the root filesystem is not readonly.  

       
      Why is this important? (mandatory)

      Extensive security audits are run on OpenShift Container Platform 4 and are highlighting that many vendor specific container is missing to set readOnlyRootFilesystem: true or else justify why readOnlyRootFilesystem: false is set.

       
      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. As an OCP admin I want to ensure that best practice are applied unless there is a valid reason not to do so

       
      Dependencies (internal and external) (mandatory)

      What items must be delivered by other teams/groups to enable delivery of this epic. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - 
      • Documentation -
      • QE - 
      • PX - 
      • Others -

      Acceptance Criteria (optional)

      All operators and operands should explicitly set readOnlyRootFilesystem to true unless there are legitimate reasons for not doing so and with an explanation to why the root filesystem is not readonly. 

      Drawbacks or Risk (optional)

      Need to be careful readOnlyRootFilesystem: true doesn't break anything

       

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

              Unassigned Unassigned
              rh-ee-ssadeghi Siamak Sadeghianfar
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: