-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
67% To Do, 0% In Progress, 33% Done
-
0
Epic Goal
- Address concerns during security audits that the integrated registry pods do not set the readOnlyRootFilesystem property to true
Why is this important?
- Extensive security audits are run on OpenShift Container Platform 4 and are highlighting that many vendor specific container is missing to set readOnlyRootFilesystem: true or else justify why readOnlyRootFilesystem: false is set.
Scenarios
- The integrated registry pods don't have any business writing to the root filesystem mount so they should be explicitly scheduled with readOnlyRootFilesystem: true
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- ...
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- incorporates
-
RFE-4160 [openshift-image-registry] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason
- Accepted