-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
Product / Portfolio Work
-
-
0% To Do, 0% In Progress, 100% Done
-
False
-
-
False
-
None
-
None
-
-
-
-
-
-
None
-
None
Feature Overview (aka. Goal Summary)
To strengthen the security posture of containers running on Kubernetes, particularly within the OpenShift environment, it is crucial to explicitly set `readOnlyRootFilesystem: true` whenever feasible. When write access to the filesystem is genuinely required, `readOnlyRootFilesystem: false` should be used, accompanied by a clear explanation of the necessity.
Currently, OLMv0 does not consistently enforce this practice. This ticket is aimed at evaluation of OLM's current configuration, implementation of `readOnlyRootFilesystem: true` where possible, and brief justifications for any instances where `readOnlyRootFilesystem: false` is set.
Background
Several factors underscore the importance of enforcing readOnlyRootFilesystem: true:
- CIS Benchmarks: Adherence to CIS OpenShift benchmarks, a common security hardening standard, is essential for many customers.
- Customer Feedback: Customers have raised concerns regarding the lack of consistent application of security best practices, specifically regarding readOnlyRootFilesystem settings.
- Red Hat Security Recommendations: Red Hat Product Security recommends deploying pods with readOnlyRootFilesystem: true in the SecurityContext. While not a strict requirement due to OpenShift's inherent mitigating controls, its implementation significantly reduces potential attack vectors.
- Security Audits: Extensive security audits of OpenShift Container Platform 4 have revealed inconsistencies in vendor-specific container configurations, with many failing to set readOnlyRootFilesystem: true or provide justifications for false.
- Customer Expectations: Customers expect Red Hat-provided pods within OpenShift to adhere to established security hardening recommendations.
Current OLM State
Previous analysis of OLMv0 pods in OpenShift `4.16.0-0.nightly-2024-05-01-111315`:
- Pods in the `openshift-operator-lifecycle-manager` namespace:
- readOnlyRootFilesystem is not explicitly set in any pods
- Pods in the `openshift-marketplace` namespace:
- 4 out of 5 pods have `readOnlyRootFilesystem` explicitly set to `false` (catalog pods from the 4 default catalogs).
- The marketplace-operator pod lacks this setting
- The false setting in the catalog pods likely reflects the need for filesystem write access
Requirements (aka. Acceptance Criteria):
- Impact assessment: Investigate the impact of enforcing `readOnlyRootFilesystem: true` on OLM v0.
- Implementation (or Justification): Implement the necessary changes in a future OLM release to enforce `readOnlyRootFilesystem: true` by default. For any instances where `readOnlyRootFilesystem: false` is required, provide clear and concise explanations outlining the specific use cases and justifications.
- is cloned by
-
OCPSTRAT-2075 OLM v1: Enforce `readOnlyRootFilesystem: true` for enhanced security (and provide brief justification for `false` exceptions)
-
- Release Pending
-
- is depended on by
-
OCPSTRAT-2045 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]
-
- In Progress
-
-
OCPSTRAT-1699 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.19]
-
- Closed
-
- is triggered by
-
RFE-4162 [openshift-operator-lifecycle-manager] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason
-
- Closed
-
- links to