Feature Overview (aka. Goal Summary)  

To strengthen the security posture of containers running on Kubernetes, particularly within the OpenShift environment, it is crucial to explicitly set `readOnlyRootFilesystem: true` whenever feasible.  When write access to the filesystem is genuinely required, `readOnlyRootFilesystem: false` should be used, accompanied by a clear explanation of the necessity. 

Currently, OLMv0 does not consistently enforce this practice.  This ticket is aimed at evaluation of OLM's current configuration, implementation of `readOnlyRootFilesystem: true` where possible, and brief justifications for any instances where `readOnlyRootFilesystem: false` is set.

Background

Several factors underscore the importance of enforcing readOnlyRootFilesystem: true:

• CIS Benchmarks: Adherence to CIS OpenShift benchmarks, a common security hardening standard, is essential for many customers.
• Customer Feedback: Customers have raised concerns regarding the lack of consistent application of security best practices, specifically regarding readOnlyRootFilesystem settings.
• Red Hat Security Recommendations: Red Hat Product Security recommends deploying pods with readOnlyRootFilesystem: true in the SecurityContext. While not a strict requirement due to OpenShift's inherent mitigating controls, its implementation significantly reduces potential attack vectors.
• Security Audits: Extensive security audits of OpenShift Container Platform 4 have revealed inconsistencies in vendor-specific container configurations, with many failing to set readOnlyRootFilesystem: true or provide justifications for false.
• Customer Expectations: Customers expect Red Hat-provided pods within OpenShift to adhere to established security hardening recommendations.

Current OLM State

Previous analysis of OLMv0 pods in OpenShift `4.16.0-0.nightly-2024-05-01-111315`:

• Pods in the `openshift-operator-lifecycle-manager` namespace:
  • readOnlyRootFilesystem is not explicitly set in any pods

• Pods in the `openshift-marketplace` namespace:
  • 4 out of 5 pods have `readOnlyRootFilesystem` explicitly set to `false` (catalog pods from the 4 default catalogs).
  • The marketplace-operator pod lacks this setting
  • The false setting in the catalog pods likely reflects the need for filesystem write access

Requirements (aka. Acceptance Criteria):

• Impact assessment: Investigate the impact of enforcing `readOnlyRootFilesystem: true` on OLM v0.

• Implementation (or Justification): Implement the necessary changes in a future OLM release to enforce `readOnlyRootFilesystem: true` by default.  For any instances where `readOnlyRootFilesystem: false` is required, provide clear and concise explanations outlining the specific use cases and justifications.