XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: openshift-4.20
Affects Version/s: None
Labels:
- pre-merge-tested

Epic Name:
OLMv0: Enforce `readOnlyRootFilesystem: true` for enhanced security (and provide brief justification for `false` exceptions)
Activity Type:
Product / Portfolio Work
Parent Link:
OCPSTRAT-1976OLMv0: Enforce `readOnlyRootFilesystem: true` for enhanced security (and provide brief justification for `false` exceptions)
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Size:
None

Target Version:

openshift-4.20
Release Blocker:
None

Epic Goal

Set `readOnlyRootFilesystem: true` in pods of `openshift-operator-lifecycle-manager` namespace. Including catalog-operator, olm-operator, package-server-manager, packageserver, and collect-profiles job.
For 4 default CatalogSources where `readOnlyRootFilesystem: false`, provide clear and concise explanations outlining the specific use cases and justifications :
- certified-operators
- community-operators
- redhat-marketplace
- redhat-operators

Current OLM State

Analysis of OLMv0 pods in OpenShift `4.20.0-0.nightly-2025-07-21-025204`:

Pods in the `openshift-operator-lifecycle-manager` namespace:
- readOnlyRootFilesystem is not explicitly set in any pods

Pods in the `openshift-marketplace` namespace:
- 4 out of 5 pods have `readOnlyRootFilesystem` explicitly set to `false` (catalog pods from the 4 default catalogs).
- The marketplace-operator pod has this setting: readOnlyRootFilesystem: true
- The false setting in the catalog pods likely reflects the need for filesystem write access

Why is this important?

It improves security by ensuring that executables and configuration shipped in the signed image cannot be manipulated by attackers at runtime.

Scenarios

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
...

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

links to

[upstream] Enabled readonlyRootFilesystem by default

openshift/operator-framework-olm#1043

operator-framework/operator-marketplace#634

Assignee:: Catherine Chan-Tse

Reporter:: Jian Zhang

Contributors:: None

QA Contact:: Jian Zhang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/07/21 9:27 AM

Updated:: 2025/08/28 3:04 AM

Resolved:: 2025/08/28 3:04 AM

Details

Description

Epic Goal

Current OLM State

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide