[CCO-647] Enable readOnlyRootFilesystem on all pods

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
readOnlyRootFilesystem should be explicitly to true and if required to false for security reason
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Enable readOnlyRootFilesystem on all of the cloud-credential-operator pods. This will require reverting prior changes that caused the tls-ca-bundler.pem to be mounted in a temporary location and then moved to the default location as part of the cloud-credential-operator pod's command.

links to

openshift/cloud-credential-operator#819: CCO-647: Enable readOnlyRootFilesystem on all containers

Jeremiah Stuever added a comment - 2025/03/27 7:10 PM

mihuang@redhat.com OCP-80542 lgtm

Jeremiah Stuever added a comment - 2025/03/27 7:10 PM mihuang@redhat.com OCP-80542 lgtm

Jeremiah Stuever added a comment - 2025/03/24 5:24 PM

mihuang@redhat.com OCP-80542 mostly looks good, with exception of the step(s) to ensure the CA certificates are correctly mounted. As it is currently written, it only checks that the file exists. Because this file exists in the images themselves, it always exists. In order to accomplish this task, you would need to somehow show that the contents of the file match the contents of the file that was mounted.

Jeremiah Stuever added a comment - 2025/03/24 5:24 PM mihuang@redhat.com OCP-80542 mostly looks good, with exception of the step(s) to ensure the CA certificates are correctly mounted. As it is currently written, it only checks that the file exists. Because this file exists in the images themselves, it always exists. In order to accomplish this task, you would need to somehow show that the contents of the file match the contents of the file that was mounted.

Jeremiah Stuever added a comment - 2025/03/07 5:06 PM

My concerns about removing the CA bundle workaround have been resolved. In looking at the original bugs where it was introduced, it was said that the workaround could only be tested in a 4.1 to 4.2 upgrade (as opposed to a 4.2 to 4.3 upgrade). This indicates the workaround was specifically to resolve an issue with that particular upgrade.

Jeremiah Stuever added a comment - 2025/03/07 5:06 PM My concerns about removing the CA bundle workaround have been resolved. In looking at the original bugs where it was introduced, it was said that the workaround could only be tested in a 4.1 to 4.2 upgrade (as opposed to a 4.2 to 4.3 upgrade). This indicates the workaround was specifically to resolve an issue with that particular upgrade.

Assignee:: Jeremiah Stuever

Reporter:: Jeremiah Stuever

QA Contact:: Mingxia Huang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/02/20 8:38 PM

Updated:: 2025/03/28 4:52 AM

Resolved:: 2025/03/28 4:52 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Jeremiah Stuever added a comment - 2025/03/27 7:10 PM

Expand comment: Jeremiah Stuever added a comment - 2025/03/27 7:10 PM

Collapse comment: Jeremiah Stuever added a comment - 2025/03/24 5:24 PM

Expand comment: Jeremiah Stuever added a comment - 2025/03/24 5:24 PM

Collapse comment: Jeremiah Stuever added a comment - 2025/03/07 5:06 PM

Expand comment: Jeremiah Stuever added a comment - 2025/03/07 5:06 PM

People

Dates