Feature overview (aka. goal summary) 

Enhance the default security of Red Hat Quay and Mirror Registry by configuring images for least-privilege (minimal capabilities), publishing a hardened seccomp profile for standalone (non-OCP) deployments, and setting the root filesystem to read-only on OCP.

Goals (aka. expected user outcomes) 

The primary goal is to significantly reduce the attack surface of Quay/Mirror Registry deployments by adopting a secure-by-default model. This will empower users to:

• Mitigate risks: Run containers with a minimal, audited set of Linux capabilities, preventing exploits that rely on default privileges.

• Achieve consistent security: Apply syscall-level hardening (seccomp) to standalone deployments, matching the RuntimeDefault posture available on OpenShift.

• Prevent runtime tampering: Ensure the container's root filesystem is mounted as read-only on OCP, blocking potential persistence or modification attacks.  

• Deploy confidently: Easily apply security best practices using official, Red Hat-provided profiles and configurations, simplifying security audits.

Background 

Standalone deployments of Quay/OpenShift Mirror Registry (e.g., via podman) currently lack the automatic seccomp hardening that OpenShift 4.11+ provides.  Additionally, the images may run with unnecessary Linux capabilities and do not follow the readOnlyRootFilesystem recommendation on OCP. 

This feature closes these security gaps by hardening the images and providing official security artifacts for all users.

Requirements (aka. acceptance criteria):

1. Container capability minimization

• Audit and identify the absolute minimal set of Linux capabilities required for the Quay/Mirror Registry container to function.

• Modify the container images to DROP: ALL capabilities by default and ADD only the required minimal set.

• Validate that all core application functionality (e.g., serving images, garbage collection) operates correctly with the reduced capability set.

 
2. Hardened seccomp profile for standalone (non-OCP) deployments

• Create and publish an official, hardened seccomp profile (e.g., based on RuntimeDefault) for standalone Quay or OpenShift Mirror Registry deployments.

• Validate the profile blocks unnecessary syscalls without breaking core functionality when used in a standalone (e.g., podman) environment.

3. Read-only root filesystem (OCP)

• Investigate and document the impact of setting readOnlyRootFilesystem: true for Quay, Clair, Postgres, and Redis containers on OCP.

• Make necessary application or deployment configuration changes (e.g., mounting required writeable paths like /tmp as emptyDir volumes) to allow Quay and Clair to run with a read-only root filesystem.

• Configure the Quay and Clair containers (via the Operator) to set securityContext.readOnlyRootFilesystem: true by default on OCP.

Documentation considerations

• Update the official security documentation to explicitly list the minimal required capability set.

• Publish the new seccomp profile, explain its security benefits, and provide clear examples for applying it (e.g., podman run --security-opt seccomp=...).