Uploaded image for project: 'OpenShift Console'
  1. OpenShift Console
  2. CONSOLE-3791

readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Major
    • openshift-4.15
    • None
    • None
    • HAC Infra OCP - Sprint 245

    Description

      According to security best practice, it's recommended to set readOnlyRootFilesystem: true for all containers running on kubernetes. Given that openshift-console does not set that explicitly, it's requested that this is being evaluated and if possible set to readOnlyRootFilesystem: true or otherwise to readOnlyRootFilesystem: false with a potential explanation why the file-system needs to be write-able.

      3. Why does the customer need this? (List the business requirements here)
      Extensive security audits are run on OpenShift Container Platform 4 and are highlighting that many vendor specific container is missing to set readOnlyRootFilesystem: true or else justify why readOnlyRootFilesystem: false is set.

       

      AC: Set up readOnlyRootFilesystem field on both console and console-operator deployment's spec. Part of the work is to determine the value. True if the pod if not doing any writing to its filesystem, otherwise false.

      Attachments

        Issue Links

          Activity

            People

              rh-ee-jonjacks Jon Jackson
              jcaiani@redhat.com Joseph Caiani
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: