Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-2560

[csi-driver-operators] Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]

XMLWordPrintable

    • Enable readOnlyRootFilesystem in csi-drivers
    • Product / Portfolio Work
    • OCPSTRAT-2045Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]
    • 50% To Do, 50% In Progress, 0% Done
    • False
    • None
    • False
    • None
    • 1

      Red Hat Product Security recommends that pods be deployed with readOnlyRootFilesystem set to true in the SecurityContext, but does not require it because a successful attack can only be carried out with a combination of weaknesses and OpenShift runs with a variety of mitigating controls. 

      However, customers are increasingly asking questions about why pods from Red Hat, and deployed as part of OpenShift, do not follow common hardening recommendations. 

      Note that setting readOnlyRootFilesystem to true ensures that the container's root filesystem is mounted as read-only. This setting has nothing to do with host access. 

      For more information, see 
      https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

      Setting the readOnlyRootFilesystem flag to true reduces the attack surface of your containers, preventing an attacker from manipulating the contents of your container and its root file system.

      If your container needs to write temporary files, you can specify the ability to mount an emptyDir in the Security Context for your pod as described here. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 

      The following containers have been identified by customer scans as needing remediation. If your pod will not function with readOnlyRootFilesystem set to true, please document why so that we can document the reason for the exception. 

      • Service Mesh operator with sidecar-injector (this needs some additional investigation as we no longer ship the sidecar-injector with Service Mesh)
      • S2I and Build operators: webhook
      • tekton-pipelines-controller 
      • tekton-chains-controller 
      • openshift-pipelines-operator-cluster-operations 
      • tekton-operator-webhook 
      • openshift-pipelines-operator-lifecycle-event-listener 
      • Pac-webhook (part of Pipelines)
      • Cluster ingress operator: serve-healthcheck-canary 
      • Node tuning operator: Tuned
      • Machine Config Operator: Machine-config-daemon
      • ACM Operator: Klusterlet-manifestwork-agent. This was fixed in ACM 2.10. https://github.com/stolostron/ocm/blob/backplane-2.5/manifests/klusterlet/management/klusterlet-work-deployment.yaml

          1.
          		 vmware-vsphere-csi-driver-operator Sub-task Code Review Undefined Allen Ray
          2.
          		 ibm-vpc-block-csi-driver-operator Sub-task Code Review Undefined Allen Ray
          3.
          		 gcp-filestore-csi-driver-operator Sub-task Code Review Undefined Allen Ray
          4.
          		 gcp-pd-csi-driver-operator Sub-task Code Review Undefined Allen Ray
          5.
          		 csi-operator Sub-task Code Review Undefined Allen Ray

              rhn-support-tsmetana Tomas Smetana
              alray@redhat.com Allen Ray
              None
              Wei Duan
              Chao Yang Chao Yang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: