Feature Overview

This feature enhances the oc adm node-image command which generates ephemeral pods that is used to create the ISO. The generator pod will now be configured with a read-only root filesystem (readOnlyRootFilesystem: true), reducing the attack surface and aligning with Red Hat Product Security recommendations. 

Goals

• Security Compliance: Ensure the ephemeral pods created by oc adm node-image run with readOnlyRootFilesystem: true and comply with the restricted Pod Security Standard by default.
• Primary User: Cluster Administrator (Infrastructure) and Security Architect.

Requirements

Functional Requirements

• Read-Only Root Filesystem: The pod specification generated by oc adm node-image MUST set securityContext.readOnlyRootFilesystem: true.

Non-Functional Requirements

• Usability: The command must function transparently to the user; no additional flags should be required to enable the secure mode.

Use Case

Scenario: ISO Generation in a Disconnected, Restricted Environment

As a Cluster Administrator managing a high-security, air-gapped OpenShift cluster, I want to run oc adm node-image create to generate a bootable ISO for a new node.

Out of Scope

Links

• Master Feature: OCPSTRAT-2045  - Configure containers to set readOnlyRootFilesystem to true