Overview

Enable cluster admins and application developers to specify secure mount options such as noexec, nosuid, and nodev for emptyDir volumes in OpenShift. This improves workload security posture when using read-only root filesystems while still allowing controlled temporary writable storage.

User Benefit

Users can safely use emptyDir volumes for scratch space without weakening container security controls. This closes a common security gap where writable temp storage becomes an unintended execution surface.

Problem Statement

Today, emptyDir volumes are mounted without configurable mount flags. When workloads run with readOnlyRootFilesystem enabled, attackers can still download and execute binaries from writable emptyDir storage. This reduces the effectiveness of hardened container configurations.