-
Feature
-
Resolution: Done
-
Major
-
None
-
Product / Portfolio Work
-
-
0% To Do, 0% In Progress, 100% Done
-
False
-
-
False
-
None
-
None
-
-
-
-
-
-
None
-
None
Feature Overview (aka. Goal Summary)
To strengthen the security posture of containers running on Kubernetes, particularly within the OpenShift environment, it is crucial to explicitly set `readOnlyRootFilesystem: true` whenever feasible. When write access to the filesystem is genuinely required, `readOnlyRootFilesystem: false` should be used, accompanied by a clear explanation of the necessity.
Currently, OLMv1 does not consistently enforce this practice. This ticket is aimed at evaluation of OLM's current configuration, implementation of `readOnlyRootFilesystem: true` where possible, and brief justifications for any instances where `readOnlyRootFilesystem: false` is set.
Background
Several factors underscore the importance of enforcing readOnlyRootFilesystem: true:
- CIS Benchmarks: Adherence to CIS OpenShift benchmarks, a common security hardening standard, is essential for many customers.
- Customer Feedback: Customers have raised concerns regarding the lack of consistent application of security best practices, specifically regarding readOnlyRootFilesystem settings.
- Red Hat Security Recommendations: Red Hat Product Security recommends deploying pods with readOnlyRootFilesystem: true in the SecurityContext. While not a strict requirement due to OpenShift's inherent mitigating controls, its implementation significantly reduces potential attack vectors.
- Security Audits: Extensive security audits of OpenShift Container Platform 4 have revealed inconsistencies in vendor-specific container configurations, with many failing to set readOnlyRootFilesystem: true or provide justifications for false.
- Customer Expectations: Customers expect Red Hat-provided pods within OpenShift to adhere to established security hardening recommendations.
Requirements (aka. Acceptance Criteria):
- Impact assessment: Investigate the impact of enforcing `readOnlyRootFilesystem: true` on OLM v1.
- Implementation (or Justification): Implement the necessary changes in a future OLM release to enforce `readOnlyRootFilesystem: true` by default. For any instances where `readOnlyRootFilesystem: false` is required, provide clear and concise explanations outlining the specific use cases and justifications.
- clones
-
OCPSTRAT-1976 OLMv0: Enforce `readOnlyRootFilesystem: true` for enhanced security (and provide brief justification for `false` exceptions)
-
- Closed
-
- is depended on by
-
OCPSTRAT-2045 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]
-
- In Progress
-
-
OCPSTRAT-1699 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.19]
-
- Closed
-
- is triggered by
-
RFE-4162 [openshift-operator-lifecycle-manager] - readOnlyRootFilesystem should be explicitly to true and if required to false for security reason
-
- Closed
-
- links to