Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-7303

Require `readOnlyRootFilesystem: true` on Pipelines pods

XMLWordPrintable

    • Require `readOnlyRootFilesystem: true` on Pipelines pods
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-2045Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]
    • Done
    • OCPSTRAT-2045 - Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]
    • 0% To Do, 0% In Progress, 100% Done
    • All OpenShift Pipelines containers (controllers, webhooks, ...) are now ship with readOnlyRootFilesystem set to true. This is following security best-practices.

      Epic Goal*

      According to security best practice, it's recommended to set readOnlyRootFilesystem: true for all containers running on kubernetes. All operators and operands should explicitly set readOnlyRootFilesystem to true unless there are legitimate reasons for not doing so and with an explanation to why the root filesystem is not readonly.  

       
      Why is this important? (mandatory)

      Extensive security audits are run on OpenShift Container Platform 4 and are highlighting that many vendor specific container is missing to set readOnlyRootFilesystem: true or else justify why readOnlyRootFilesystem: false is set.

       
      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. As an OCP admin I want to ensure that best practice are applied unless there is a valid reason not to do so

       
      Dependencies (internal and external) (mandatory)

      What items must be delivered by other teams/groups to enable delivery of this epic. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - 
      • Documentation -
      • QE - 
      • PX - 
      • Others -

      Acceptance Criteria (optional)

      All operators and operands should explicitly set readOnlyRootFilesystem to true unless there are legitimate reasons for not doing so and with an explanation to why the root filesystem is not readonly. 

      Drawbacks or Risk (optional)

      Need to be careful readOnlyRootFilesystem: true doesn't break anything

       

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

              vdemeest Vincent Demeester
              rh-ee-ssadeghi Siamak Sadeghianfar
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 1 week, 2 days
                  1w 2d
                  Remaining:
                  Remaining Estimate - 1 week, 2 days
                  1w 2d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified