Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1976

OLMv0: Enforce `readOnlyRootFilesystem: true` for enhanced security (and provide brief justification for `false` exceptions)

XMLWordPrintable

    • Product / Portfolio Work
    • OCPSTRAT-27OLM V1: Operators, Operator Lifecycle Management, and Operator Hub
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None

      Feature Overview (aka. Goal Summary)  

      To strengthen the security posture of containers running on Kubernetes, particularly within the OpenShift environment, it is crucial to explicitly set `readOnlyRootFilesystem: true` whenever feasible.  When write access to the filesystem is genuinely required, `readOnlyRootFilesystem: false` should be used, accompanied by a clear explanation of the necessity. 

      Currently, OLMv0 does not consistently enforce this practice.  This ticket is aimed at evaluation of OLM's current configuration, implementation of `readOnlyRootFilesystem: true` where possible, and brief justifications for any instances where `readOnlyRootFilesystem: false` is set.

      Background

      Several factors underscore the importance of enforcing readOnlyRootFilesystem: true:

      • CIS Benchmarks: Adherence to CIS OpenShift benchmarks, a common security hardening standard, is essential for many customers.
      • Customer Feedback: Customers have raised concerns regarding the lack of consistent application of security best practices, specifically regarding readOnlyRootFilesystem settings.
      • Red Hat Security Recommendations: Red Hat Product Security recommends deploying pods with readOnlyRootFilesystem: true in the SecurityContext. While not a strict requirement due to OpenShift's inherent mitigating controls, its implementation significantly reduces potential attack vectors.
      • Security Audits: Extensive security audits of OpenShift Container Platform 4 have revealed inconsistencies in vendor-specific container configurations, with many failing to set readOnlyRootFilesystem: true or provide justifications for false.
      • Customer Expectations: Customers expect Red Hat-provided pods within OpenShift to adhere to established security hardening recommendations.

      Current OLM State

      Previous analysis of OLMv0 pods in OpenShift `4.16.0-0.nightly-2024-05-01-111315`:

      • Pods in the `openshift-operator-lifecycle-manager` namespace:
        • readOnlyRootFilesystem is not explicitly set in any pods
      • Pods in the `openshift-marketplace` namespace:
        • 4 out of 5 pods have `readOnlyRootFilesystem` explicitly set to `false` (catalog pods from the 4 default catalogs).
        • The marketplace-operator pod lacks this setting
        • The false setting in the catalog pods likely reflects the need for filesystem write access

      Requirements (aka. Acceptance Criteria):

      • Impact assessment: Investigate the impact of enforcing `readOnlyRootFilesystem: true` on OLM v0.
      • Implementation (or Justification): Implement the necessary changes in a future OLM release to enforce `readOnlyRootFilesystem: true` by default.  For any instances where `readOnlyRootFilesystem: false` is required, provide clear and concise explanations outlining the specific use cases and justifications.

       

              rh-ee-saldawam Shaza Aldawamneh
              rhn-coreos-tunwu Tony Wu
              None
              None
              None
              Jian Zhang Jian Zhang
              Matthew Werner Matthew Werner
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: