Loading...

XML

Word

Printable

Type: Risk
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- ACM
- CCO
- MCO
- OCPCLOUD
- build
- ingress-operator
- node-tuning-operator
- service-mesh
- tekton_pipeline,

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False

Risk Score:
0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Red Hat Product Security recommends that pods be deployed with readOnlyRootFilesystem set to true in the SecurityContext, but does not require it because a successful attack can only be carried out with a combination of weaknesses and OpenShift runs with a variety of mitigating controls.

However, customers are increasingly asking questions about why pods from Red Hat, and deployed as part of OpenShift, do not follow common hardening recommendations.

Note that setting readOnlyRootFilesystem to true ensures that the container's root filesystem is mounted as read-only. This setting has nothing to do with host access.

For more information, see
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Setting the readOnlyRootFilesystem flag to true reduces the attack surface of your containers, preventing an attacker from manipulating the contents of your container and its root file system.

If your container needs to write temporary files, you can specify the ability to mount an emptyDir in the Security Context for your pod as described here. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

The following containers have been identified by customer scans as needing remediation. If your pod will not function with readOnlyRootFilesystem set to true, please document why so that we can document the reason for the exception.

Service Mesh operator with sidecar-injector (this needs some additional investigation as we no longer ship the sidecar-injector with Service Mesh)
S2I and Build operators: webhook
tekton-pipelines-controller
tekton-chains-controller
openshift-pipelines-operator-cluster-operations
tekton-operator-webhook
openshift-pipelines-operator-lifecycle-event-listener
Pac-webhook (part of Pipelines)
Cluster ingress operator: serve-healthcheck-canary
Node tuning operator: Tuned
Machine Config Operator: Machine-config-daemon
ACM Operator: Klusterlet-manifestwork-agent. This was fixed in ACM 2.10. https://github.com/stolostron/ocm/blob/backplane-2.5/manifests/klusterlet/management/klusterlet-work-deployment.yaml

depends on

CCO-385 readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

STOR-2126 readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

BUILD-1187 readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

OCPSTRAT-740 readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

OCPSTRAT-1076 Align the IR with security best practices about read-only root filesystem

is related to

RFE-4146 [openshift-controller-manager] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4147 [openshift-cluster-version] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4150 [openshift-dns] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4152 [openshift-insights] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4154 [openshift-kube-controller-manager] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4157 [openshift-kube-scheduler] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4159 [openshift-cluster-node-tuning] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Backlog

RFE-4148 [openshift-etcd] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Rejected

RFE-4151 [openshift-ingress] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Rejected

RFE-4153 [openshift-kube-apiserver] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Rejected

RFE-4162 [openshift-operator-lifecycle-manager] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Under Review

RFE-4149 [openshift-console] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Accepted

RFE-4155 [openshift-network] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Accepted

RFE-4156 [openshift-cloud-credential-operator] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Accepted

RFE-4158 [openshift-cluster-storage] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Accepted

RFE-4160 [openshift-image-registry] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason

Accepted

relates to

OCPSTRAT-1752 Read-Only Root Filesystem for OpenShift Node Tuning Operator (NTO)

Closed

(16 is related to, 1 relates to)

Assignee:: Kirsten Newcomer

Reporter:: Kirsten Newcomer

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/10/08 3:46 PM

Updated:: 2024/11/18 1:02 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates