[PROJQUAY-8703] Configure Quay & Clair containers to set readOnlyRootFilesystem to true on OCP - Red Hat Issue Tracker

Type: Feature
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: clair-downstream, container-security-operator, quay, quay-bridge-operator, quay-builder, quay-oper
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Intelligence Requested:
Market:

This is an Quay specific issue for this directive: https://issues.redhat.com/browse/OCPSTRAT-1699

Summary:

Red Hat Product Security recommends that pods be deployed with readOnlyRootFilesystem set to true in the SecurityContext, but does not require it because a successful attack can only be carried out with a combination of weaknesses and OpenShift runs with a variety of mitigating controls.

However, customers are increasingly asking questions about why pods from Red Hat, and deployed as part of OpenShift, do not follow common hardening recommendations.

Note that setting readOnlyRootFilesystem to true ensures that the container's root filesystem is mounted as read-only. This setting has nothing to do with host access.

We need to:

Investigate the impact to Quay, Clair, Postgres & Redis
If necessary, make appropriate changes in either Quay 3.15 or 3.16

is triggered by

OCPSTRAT-2045 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]

OCPSTRAT-1699 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.19]

In Progress

Assignee:: Unassigned

Reporter:: Daniel Messer

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/03/17 3:28 PM

Updated:: 2025/04/09 8:05 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide