Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set readOnlyRootFilesystem to true for all containers #66

Closed
timp87 opened this issue May 1, 2023 · 2 comments
Closed

Set readOnlyRootFilesystem to true for all containers #66

timp87 opened this issue May 1, 2023 · 2 comments

Comments

@timp87
Copy link
Contributor

timp87 commented May 1, 2023
edited
Loading

My proposal is to set (hardcode) readOnlyRootFilesystem to true for all containers securityContext.

I find this a nice security measure and in my experience many companies enforce this setting to be on for all containers. General rule in such case is to explicitly state what volumes should be mounted.
I have tried running csi-driver-lvm (0.5.3) storage class containers (all 6 containers) with readOnlyRootFilesystem set to true and found only one problem.
If we agree here I can prepare a PR.
@chbmuc
Copy link

chbmuc commented May 1, 2023

Sure! I think this will be a useful security improvement. Please go ahead and send a PR.

@timp87 timp87 mentioned this issue May 1, 2023
Merged
@timp87
Copy link
Contributor Author

timp87 commented May 2, 2023

Closing this issue. We may continue discussion in #67 if needed

@timp87 timp87 closed this as completed May 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chbmuc @timp87